CVE-2025-61912
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-10-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-61912
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
python-ldap python-ldap From 3.13.1 (inc) to 3.13.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the python-ldap library versions prior to 3.4.5. The function ldap.dn.escape_dn_chars() incorrectly escapes the null byte (\x00) by emitting a backslash followed by a literal NUL byte instead of the correct RFC-4514 hex form \00. This improper escaping can cause applications that use this function to construct distinguished names (DNs) from untrusted input to fail consistently before sending requests to the LDAP server, resulting in a client-side denial of service.

Impact Analysis

If your application uses python-ldap versions prior to 3.4.5 and relies on ldap.dn.escape_dn_chars() to construct DNs from untrusted input, this vulnerability can cause your application to fail consistently before sending LDAP requests. This results in a client-side denial of service, potentially disrupting application functionality that depends on LDAP operations.

Mitigation Strategies

Upgrade python-ldap to version 3.4.5 or later, which contains a patch for the issue. Avoid using ldap.dn.escape_dn_chars() on untrusted input in versions prior to 3.4.5 to prevent client-side denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart