CVE-2025-61912 – A vulnerability in python-ldap's escape_dn

Q: What is the severity of CVE-2025-61912?

CVE-2025-61912 has a CVSS score of 5.3 (MEDIUM). A vulnerability in python-ldap's escape_dn_chars() function incorrectly escapes null bytes, causing client-side denial of service when constructing DNs from untrusted input. Applications using python-ldap versions before 3.4.5 to process user-controlled data for LDAP operations are affected. The vulnerability prevents requests from reaching LDAP servers by causing consistent failures during DN construction.

📋 TL;DR

A vulnerability in python-ldap's escape_dn_chars() function incorrectly escapes null bytes, causing client-side denial of service when constructing DNs from untrusted input. Applications using python-ldap versions before 3.4.5 to process user-controlled data for LDAP operations are affected. The vulnerability prevents requests from reaching LDAP servers by causing consistent failures during DN construction.

💻 Affected Systems

Products:

python-ldap

Versions: All versions prior to 3.4.5

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using ldap.dn.escape_dn_chars() with untrusted input. Applications not using this function or not processing user input for DNs are not vulnerable.

📦 What is this software?

Python Ldap by Python Ldap

View all CVEs affecting Python Ldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for LDAP-dependent applications when processing malicious input, rendering authentication and directory services unavailable.

🟠

Likely Case

Intermittent service disruptions when applications encounter specially crafted input containing null bytes in DN components.

🟢

If Mitigated

Minimal impact with input validation and sanitization preventing null bytes from reaching the vulnerable function.

🌐 Internet-Facing: MEDIUM - Applications accepting user input for LDAP operations could be targeted for DoS, but requires specific input conditions.

🏢 Internal Only: LOW - Internal applications are less likely to receive malicious input, but could still be affected by accidental or internal misuse.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the application to use escape_dn_chars() on attacker-controlled input. The vulnerability is in client-side processing, not server-side.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.5

Vendor Advisory: https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6

Restart Required: No

Instructions:

1. Update python-ldap: pip install python-ldap==3.4.5 2. Verify the update: pip show python-ldap 3. Test LDAP functionality with applications using the library.

🔧 Temporary Workarounds

Input validation for null bytes

all

Implement input validation to reject or sanitize null bytes before they reach escape_dn_chars()

# Python example: validate input before using escape_dn_chars()
if '\x00' in user_input:
    raise ValueError('Null bytes not allowed in DN input')

🧯 If You Can't Patch

Implement strict input validation to prevent null bytes from reaching escape_dn_chars() function
Use alternative DN construction methods that don't rely on escape_dn_chars() for untrusted input

🔍 How to Verify

Check if Vulnerable:

Check python-ldap version: pip show python-ldap | grep Version. If version is less than 3.4.5 and application uses escape_dn_chars() with user input, it's vulnerable.

Check Version:

pip show python-ldap | grep Version

Verify Fix Applied:

After updating, test with input containing null bytes: from ldap.dn import escape_dn_chars; result = escape_dn_chars('test\x00test'); print(result). Should return properly escaped hex form.

📡 Detection & Monitoring

Log Indicators:

Application errors related to DN parsing or LDAP client failures
Python tracebacks showing escape_dn_chars() failures

Network Indicators:

Reduced LDAP query volume from affected applications
Authentication failures in LDAP-dependent systems

SIEM Query:

source="application_logs" AND ("escape_dn_chars" OR "DN parsing error" OR "LDAP client error")

📊 Metadata

CVE ID: CVE-2025-61912

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-116

EPSS Score: 0.16% exploit probability (36.9th percentile)

Published: October 10, 2025

Last Updated: December 4, 2025

🔗 References

https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f Patch
https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5 Release Notes
https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61912, you might also want to check these: