LDAP Injection Vulnerability in Python LDAP Client API by python-ldap
CVE-2025-61911

5.5MEDIUM

Key Information:

Vendor

Python-ldap

Status
Python-ldap
Vendor
CVE Published:
10 October 2025

What is CVE-2025-61911?

The python-ldap library, a popular LDAP client API for Python, has a vulnerability in its sanitization method ldap.filter.escape_filter_chars. In versions before 3.4.5, an attacker can exploit this flaw when providing a crafted list or dictionary as the assertion_value parameter while using non-default escape_mode=1. Unlike other modes that raise exceptions for such inputs, escape_mode=1 neglects these checks, enabling an attacker to launch LDAP injection attacks. This can lead to unauthorized disclosure or manipulation of sensitive LDAP data. Version 3.4.5 addresses this issue by adding necessary type checks to prevent the exploitation of this vulnerability.

Affected Version(s)

python-ldap < 3.4.5

References

https://github.com/python-ldap/python-ldap/security/advis...
x_refsource_CONFIRM
https://github.com/python-ldap/python-ldap/commit/3957526...
x_refsource_MISC
https://github.com/python-ldap/python-ldap/releases/tag/p...
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.