{"timestamp":"2026-01-22T14:53:47.177224Z","id":"CVE-2025-12781","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Python Software Foundation","product":"CPython","defaultStatus":"unaffected","modules":["base64"],"repo":"https://github.com/python/cpython","versions":[{"version":"0","lessThan":"3.13.10","versionType":"python","status":"affected"},{"version":"3.14.0","lessThan":"3.14.1","versionType":"python","status":"affected"},{"version":"3.15.0a1","lessThan":"3.15.0a2","versionType":"python","status":"affected"}]}]

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

OR
          *cpe:2.3:a:python:python:3.15.0:alpha1:*:*:*:*:*:*
          *cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from (including) 3.14.0 up to (excluding) 3.14.1
          *cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions up to (excluding) 3.13.10

Python Software Foundation: https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b Types: Patch

Python Software Foundation: https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947 Types: Patch

Python Software Foundation: https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5 Types: Patch

Python Software Foundation: https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76 Types: Patch

Python Software Foundation: https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5 Types: Patch

Python Software Foundation: https://github.com/python/cpython/issues/125346 Types: Exploit, Issue Tracking

Python Software Foundation: https://github.com/python/cpython/pull/141128 Types: Issue Tracking, Patch

Python Software Foundation: https://mail.python.org/archives/list/[email protected]/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/ Types: Mailing List, Vendor Advisory

https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b

https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947

https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5

https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76

https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5

CWE-704

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.




This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.




The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 
alphabet they are expecting or verify that their application would not be 
affected if the b64decode() functions accepted "+" or "/" outside of altchars.

AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

https://github.com/python/cpython/issues/125346

https://github.com/python/cpython/pull/141128

https://mail.python.org/archives/list/[email protected]/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/