CVE-2025-50817
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-09-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python-future | python-future | 1.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Python-Future 1.0.0 module allows an attacker to execute arbitrary code by exploiting the module's behavior of automatically importing a file named test.py if it exists in the same directory or in the sys.path. If an attacker can write a malicious test.py file to the server, it will be imported and executed when the module loads.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to run arbitrary code on your server, potentially leading to unauthorized access, data theft, system compromise, or further attacks within your environment.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that no untrusted test.py files exist in directories where the Python-Future 1.0.0 module is used or in the sys.path. Restrict write permissions to these directories to prevent attackers from placing malicious test.py files. Additionally, consider updating or patching the module if a fixed version is available or avoid using Python-Future 1.0.0 until the issue is resolved.