N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61911

GHSA ID

GHSA-r7r6-cc7p-4v5m

EPSS Score

CWE

CWE-75

Published

10/10/2025

Updated

10/10/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61911

CVE-2025-61911: python-ldap has sanitization bypass in ldap.filter.escape_filter_chars

Summary

The sanitization method ldap.filter.escape_filter_chars can be tricked to skip escaping of special characters when a crafted list or dict is supplied as the assertion_value parameter, and the non-default escape_mode=1 is configured.

Details

The method ldap.filter.escape_filter_chars supports 3 different escaping modes. escape_mode=0 (default) and escape_mode=2 happen to raise exceptions when a list or dict object is supplied as the assertion_value parameter. However, escape_mode=1 happily computes without performing adequate logic to ensure a fully escaped return value.

PoC

>>> import ldap.filter

Exploitable

>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
'abc@*()/xyz'
>>> ldap.filter.escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
'abc@*()/xyz'

Not exploitable

>>> ldap.filter.escape_filter_chars("abc@*()/xyz", escape_mode=1)
'abc@\\2a\\28\\29\\2fxyz'
>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.12/site-packages/ldap/filter.py", line 41, in escape_filter_chars
    s = assertion_value.replace('\\', r'\5c')
        ^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'replace'
>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=2)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.12/site-packages/ldap/filter.py", line 36, in escape_filter_chars
    r.append("\\%02x" % ord(c))
                        ^^^^^^
TypeError: ord() expected a character, but string of length 11 found

Impact

If an application relies on the vulnerable method in the python-ldap library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them.

With Python being a dynamically typed language, and the commonly used JSON format supporting list and dict, it is to be expected that Python applications may commonly forward unchecked and potentially malicious list and dict objects to the vulnerable sanitization method.

The vulnerable escape_mode=1 configuration does not appear to be widely used.

Suggested Fix

Add a type check at the start of the ldap.filter.escape_filter_chars method to raise an exception when the supplied assertion_value parameter is not of type str.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61911

GHSA ID

GHSA-r7r6-cc7p-4v5m

EPSS Score

CWE

CWE-75

Published

10/10/2025

Updated

10/10/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
python-ldap	pip	< 3.4.5	3.4.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the ldap.filter.escape_filter_chars function, which fails to properly sanitize input when it's a list or dictionary and escape_mode is set to 1. The provided security advisory and commit patch directly point to this function as the source of the vulnerability. The patch adds a type check to ensure the input is a string, thus preventing the type confusion that leads to the sanitization bypass. The evidence from the commit 3957526fb1852e84b90f423d9fef34c7af25b85a clearly shows the addition of this type check in Lib/ldap/filter.py as the fix. Therefore, escape_filter_chars is the function that would appear in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

escape_filter_chars

Lib/ldap/filter.py

The function `escape_filter_chars` in the `ldap.filter` module is vulnerable to a sanitization bypass. When `escape_mode=1` is configured, and the `assertion_value` parameter is a list or a dictionary instead of a string, the function fails to escape special LDAP filter characters. This allows an attacker to inject malicious filter strings, potentially leading to an LDAP injection attack. The patch mitigates this by adding a type check at the beginning of the function to ensure that the `assertion_value` is a string.

WAF Protection Rules

WAF Rule

### Summ*ry T** s*nitiz*tion m*t*o* `l**p.*ilt*r.*s**p*_*ilt*r_***rs` **n ** tri*k** to skip *s**pin* o* sp**i*l ***r**t*rs w**n * *r**t** `list` or `*i*t` is suppli** *s t** `*ss*rtion_v*lu*` p*r*m*t*r, *n* t** non-****ult `*s**p*_mo**=*` is *on*i*u

Reasoning

T** vuln*r**ility li*s in t** `l**p.*ilt*r.*s**p*_*ilt*r_***rs` *un*tion, w*i** **ils to prop*rly s*nitiz* input w**n it's * list or *i*tion*ry *n* `*s**p*_mo**` is s*t to *. T** provi*** s**urity **visory *n* *ommit p*t** *ir**tly point to t*is *un*

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-61911: python-ldap has sanitization bypass in ldap.filter.escape_filter_chars

Summary

Details

PoC

Impact

Suggested Fix

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI