PT-2026-3848 · Python+1 · Python+1

Published

2024-10-12

·

Updated

2026-05-05

·

CVE-2025-12781

CVSS v4.0

6.3

Medium

VectorAV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Python versions (affected versions not specified)
Description The b64decode(), standard b64decode(), and urlsafe b64decode() functions within the "base64" module incorrectly accept characters "+/" regardless of the altchars parameter. This behavior deviates from newer RFC recommendations, which suggest either dropping unrecognized characters or raising an error. This discrepancy can potentially lead to data integrity issues if an application relies on a custom base64 alphabet that excludes "+/". The issue is not a security flaw in itself but a deviation from current standards that could cause unexpected behavior. The provided patch deprecates the existing behavior, planning to align with the newer RFC recommendations in a future Python version.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Incorrect Type Conversion or Cast

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-704

Related Identifiers

AZL-75225
AZL-75231
BDU:2026-05132
BIT-LIBPYTHON-2025-12781
BIT-PYTHON-2025-12781
BIT-PYTHON-MIN-2025-12781
CVE-2025-12781
ECHO-F28E-A9D3-D8E5
OESA-2026-1356
OESA-2026-1461
OPENSUSE-SU-2026:10152-1
OPENSUSE-SU-2026:10206-1
OPENSUSE-SU-2026:10221-1
OPENSUSE-SU-2026:10222-1
PSF-2026-7
SUSE-SU-2026:0693-1
SUSE-SU-2026:0767-1
SUSE-SU-2026:20665-1
SUSE-SU-2026:20710-1

Affected Products

Python
Red Os