FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cpython -- Use-after-free in "unicode_escape" decoder with error handler

Affected packages
python39 < 3.9.22_1
python310 < 3.10.17_1
python311 < 3.11.12_1
python312 < 3.12.10_1

Details

VuXML ID e587b52d-38ac-11f0-b7b6-dcfe074bd614
Discovery 2025-05-15
Entry 2025-05-24

cna@python.org reports:

There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.

References

CVE Name CVE-2025-4516
URL https://nvd.nist.gov/vuln/detail/CVE-2025-4516