CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-4516: Use-after-free in "unicode_escape" decoder with error handler

5.9 CVSS

Description

There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.

Classification

CVE ID: CVE-2025-4516

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.9

CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem Types

CWE-416 Use After Free

Affected Products

Vendor: Python Software Foundation

Product: CPython

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 3.15% (scored less or equal to compared to others)

EPSS Date: 2025-06-13 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4516
https://github.com/python/cpython/issues/133767
https://github.com/python/cpython/pull/129648
https://mail.python.org/archives/list/[email protected]/thread/L75IPBBTSCYEF56I2M4KIW353BB3AY74/
https://github.com/python/cpython/commit/69b4387f78f413e8c47572a85b3478c47eba8142
https://github.com/python/cpython/commit/9f69a58623bd01349a18ba0c7a9cb1dad6a51e8e

Timeline

2025-05-15 14:40:22 UTC
CVE

Use-after-free in "unicode_escape" decoder with error handler