CVE-2025-4516

Use-after-free in "unicode_escape" decoder with error handler

Description

There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.

Category

5.9
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 0.02%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/issues/133767 issue tracking
https://github.com/python/cpython/pull/129648 patch
https://mail.python.org/archives/list/security-announce@python.org/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/ vendor advisory
https://github.com/python/cpython/commit/69b4387f78f413e8c47572a85b3478c47eba8142 patch
https://github.com/python/cpython/commit/9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e patch
https://github.com/python/cpython/commit/4398b788ffc1f954a2c552da285477d42a571292 patch
https://github.com/python/cpython/commit/6279eb8c076d89d3739a6edb393e43c7929b429d patch
https://github.com/python/cpython/commit/73b3040f592436385007918887b7e2132aa8431f patch
https://github.com/python/cpython/commit/8d35fd1b34935221aff23a1ab69a429dd156be77 patch
https://github.com/python/cpython/commit/ab9893c40609935e0d40a6d2a7307ea51aec598b patch
http://www.openwall.com/lists/oss-security/2025/05/16/4
http://www.openwall.com/lists/oss-security/2025/05/19/1

Frequently Asked Questions

What is the severity of CVE-2025-4516?
CVE-2025-4516 has been scored as a medium severity vulnerability.
How to fix CVE-2025-4516?
To fix CVE-2025-4516, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-4516 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4516 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4516?
CVE-2025-4516 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.