CVE-2025-61911: python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
The sanitization method ldap.filter.escape_filter_chars can be tricked to skip escaping of special characters when a crafted list or dict is supplied as the assertion_value parameter, and the non-default escape_mode=1 is configured.
References
- github.com/advisories/GHSA-r7r6-cc7p-4v5m
- github.com/python-ldap/python-ldap
- github.com/python-ldap/python-ldap/commit/3957526fb1852e84b90f423d9fef34c7af25b85a
- github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5
- github.com/python-ldap/python-ldap/security/advisories/GHSA-r7r6-cc7p-4v5m
- nvd.nist.gov/vuln/detail/CVE-2025-61911
Code Behaviors & Features
Detect and mitigate CVE-2025-61911 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →