CVE-2025-22153: try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter

January 23, 2025

Via a type confusion bug in the CPython interpreter when using try/except* RestrictedPython could be bypassed.

We believe this should be fixed upstream in Python itself until that we remove support for try/except* from RestrictedPython. (It has been fixed for some Python versions.)

References

github.com/advisories/GHSA-gmj9-h825-chq2
github.com/zopefoundation/RestrictedPython
github.com/zopefoundation/RestrictedPython/commit/48a92c5bb617a647cffd0dadd4d5cfe626bcdb2f
github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-gmj9-h825-chq2
nvd.nist.gov/vuln/detail/CVE-2025-22153

Detect and mitigate CVE-2025-22153 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →