CVE-2023-41105
📋 TL;DR
A vulnerability in Python 3.11 through 3.11.4 allows path truncation via null bytes in os.path.normpath(). This can bypass security checks that previously rejected malicious filenames, potentially enabling path traversal or file access attacks. Applications using Python 3.11.x for file operations are affected.
💻 Affected Systems
- Python
📦 What is this software?
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass file validation to access sensitive files, execute arbitrary code via file inclusion, or perform directory traversal attacks.
Likely Case
Bypass of filename validation leading to unauthorized file access or path manipulation in applications that rely on os.path.normpath() for security checks.
If Mitigated
Limited impact if applications implement additional validation layers or don't use os.path.normpath() for security decisions.
🎯 Exploit Status
Exploitation requires application-specific conditions where os.path.normpath() is used for security validation of file paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python 3.11.5 and later
Vendor Advisory: https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
Restart Required: Yes
Instructions:
1. Upgrade Python to version 3.11.5 or later. 2. Restart all Python applications and services. 3. Test application functionality after upgrade.
🔧 Temporary Workarounds
Input validation workaround
allAdd explicit null byte validation before passing paths to os.path.normpath()
if '\x00' in user_input_path:
raise ValueError('Null bytes not allowed in paths')
Path sanitization wrapper
allCreate a wrapper function that validates paths before calling os.path.normpath()
import os
def safe_normpath(path):
if '\x00' in str(path):
raise ValueError('Invalid path containing null byte')
return os.path.normpath(path)
🧯 If You Can't Patch
- Implement strict input validation to reject paths containing null bytes before processing
- Use alternative path normalization methods that don't rely on os.path.normpath() for security decisions
🔍 How to Verify
Check if Vulnerable:
Run: python3 -c "import os; print('Vulnerable' if os.path.normpath('test\x00bypass') == 'test' else 'Not vulnerable')"Check Version:
python3 --versionVerify Fix Applied:
After patching, same command should return 'Not vulnerable'📡 Detection & Monitoring
Log Indicators:
- Unexpected file access patterns
- Failed path validation attempts with null bytes
- Application errors from path processing functions
Network Indicators:
- Unusual file upload patterns with encoded null bytes
SIEM Query:
Search for file access errors or validation failures in application logs containing references to os.path.normpath or path processing🔗 References
- https://github.com/python/cpython/issues/106242
- https://github.com/python/cpython/pull/107981
- https://github.com/python/cpython/pull/107982
- https://github.com/python/cpython/pull/107983
- https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
- https://security.netapp.com/advisory/ntap-20231006-0015/
- https://github.com/python/cpython/issues/106242
- https://github.com/python/cpython/pull/107981
- https://github.com/python/cpython/pull/107982
- https://github.com/python/cpython/pull/107983
- https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
- https://security.netapp.com/advisory/ntap-20231006-0015/
