VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 5, 2023· Updated Aug 2, 2024

CVE-2023-25399

CVE-2023-25399

Description

A disputed memory leak in SciPy's Py_FindObjects function due to unreleased reference count, but SciPy is not designed for untrusted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A disputed memory leak in SciPy's Py_FindObjects function due to unreleased reference count, but SciPy is not designed for untrusted input.

Vulnerability

Overview

CVE-2023-25399 describes a refcounting issue in SciPy, discovered in commit 8627df31ab, in the Py_FindObjects() function. The root cause is that a new reference to a Python object is created but not properly decreased, leading to a potential memory leak over repeated calls. The issue was originally reported through a static analyzer. [1]

Exploitation

Context

To trigger this memory leak, an attacker would need to call the affected function with crafted inputs. However, the official SciPy project disputes this as a security vulnerability, stating that SciPy is not designed to be exposed to untrusted users or data directly. The project's threat model does not consider such memory leaks as exploitable in typical usage scenarios, as they only result in gradual memory exhaustion under specific conditions. [1][4]

Impact

The primary impact is a gradual memory leak, which could, in theory, lead to denial of service through memory exhaustion if the function is called repeatedly with appropriate arguments. No other security implications, such as code execution or privilege escalation, have been identified. The issue is considered a bug rather than a vulnerability by the maintainers. [1]

Mitigation

Status

As the finding is disputed, no official patch has been released specifically for this issue. Users who rely on SciPy for processing untrusted data should take precautions, such as running it in a sandboxed environment. The PyPA advisory database does not list a severity score. [3]

References
  1. NVD - CVE-2023-25399
  2. advisory-database/vulns/scipy/PYSEC-2023-102.yaml at main · pypa/advisory-database
  3. BUG: Memory leak in function `Py_FindObjects` due to new reference is not decreased (static analyzer report)

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
scipyPyPI
< 1.10.01.10.0

Affected products

13

Patches

1
9b6521198c4f

BUG: fix a minor refcounting issue in `Py_FindObjects`

https://github.com/scipy/scipyRalf GommersJun 13, 2022via ghsa
commit
1 file changed · +3 3
  • scipy/ndimage/src/nd_image.c+3 3 modified
    @@ -885,7 +885,7 @@ static PyObject *Py_FindObjects(PyObject *obj, PyObject *args)
         npy_intp idx =
                 PyArray_NDIM(input) > 0 ? 2 * PyArray_NDIM(input) * ii : ii;
         if (regions[idx] >= 0) {
-            PyObject *tuple = PyTuple_New(PyArray_NDIM(input));
+            tuple = PyTuple_New(PyArray_NDIM(input));
             if (!tuple) {
                 PyErr_NoMemory();
                 goto exit;
@@ -903,8 +903,8 @@ static PyObject *Py_FindObjects(PyObject *obj, PyObject *args)
                     PyErr_NoMemory();
                     goto exit;
                 }
-                Py_XDECREF(start);
-                Py_XDECREF(end);
+                Py_DECREF(start);
+                Py_DECREF(end);
                 start = end = NULL;
                 PyTuple_SetItem(tuple, jj, slc);
                 slc = NULL;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.