Type conversion in Python - CVE-2025-12781
Published: February 17, 2026
Vulnerability identifier: #VU122976
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-12781
CWE-ID: CWE-704
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Python.org
Affected software:
Python
Python
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a type conversion issue in b64decode(), standard_b64decode(), and urlsafe_b64decode() functions when parsing strings with "+" or "/" character. A remote attacker send specially crafted data to the application that can bypass implemented security restrictions.
How to mitigate CVE-2025-12781
Install updates from vendor's website.
Sources
- https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b
- https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947
- https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5
- https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76
- https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5
- https://github.com/python/cpython/issues/125346
- https://github.com/python/cpython/pull/141128
- https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/