Miggo Logo

CVE-2025-22153: try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter

7.9

CVSS Score
3.1

Basic Information

EPSS Score
0.22773%
Published
1/23/2025
Updated
1/23/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
RestrictedPythonpip>= 6.0, < 8.08.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points: 1) The transformer allowed try/except* syntax (via visit_TryStar), and 2) ExceptionGroup was whitelisted in safe_builtins. The commit patching the vulnerability specifically modifies both - replacing visit_TryStar's permissive behavior with a denial, and removing ExceptionGroup from safe_builtins. These changes directly correlate with the described type confusion attack vector through try/except* handling in vulnerable Python versions (3.11+). The CWE-843 classification and commit message about 'sandbox escape' confirm these components were the entry points for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Vi* * typ* *on*usion *u* in t** *Pyt*on int*rpr*t*r w**n usin* `try/*x**pt*` R*stri*t**Pyt*on *oul* ** *yp*ss**. W* **li*v* t*is s*oul* ** *ix** upstr**m in Pyt*on its*l* until t**t w* r*mov* support *or `try/*x**pt*` *rom R*stri*t**Pyt*o

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** tr*ns*orm*r *llow** try/*x**pt* synt*x (vi* visit_TrySt*r), *n* *) *x**ption*roup w*s w*it*list** in s***_*uiltins. T** *ommit p*t**in* t** vuln*r**ility sp**i*i**lly mo*i*i*s *ot* - r*pl**in* visit