CVE-2025-61912
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-61912, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-10

Last updated on: 2025-12-04

Assigner: GitHub, Inc.

Description

python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-10
Last Modified
2025-12-04
Generated
2026-07-06
AI Q&A
2025-10-11
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
python-ldap python-ldap From 3.13.1 (inc) to 3.13.11 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the python-ldap library versions prior to 3.4.5. The function ldap.dn.escape_dn_chars() incorrectly escapes the null byte (\x00) by emitting a backslash followed by a literal NUL byte instead of the correct RFC-4514 hex form \00. This improper escaping can cause applications that use this function to construct distinguished names (DNs) from untrusted input to fail consistently before sending requests to the LDAP server, resulting in a client-side denial of service.

Impact Analysis

If your application uses python-ldap versions prior to 3.4.5 and relies on ldap.dn.escape_dn_chars() to construct DNs from untrusted input, this vulnerability can cause your application to fail consistently before sending LDAP requests. This results in a client-side denial of service, potentially disrupting application functionality that depends on LDAP operations.

Mitigation Strategies

Upgrade python-ldap to version 3.4.5 or later, which contains a patch for the issue. Avoid using ldap.dn.escape_dn_chars() on untrusted input in versions prior to 3.4.5 to prevent client-side denial of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart