python-ldap has sanitization bypass in ldap.filter.escape_filter_chars
Description
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method ldap.filter.escape_filter_chars can be tricked to skip escaping of special characters when a crafted list or dict is supplied as the assertion_value parameter, and the non-default escape_mode=1 is configured. The method ldap.filter.escape_filter_chars supports 3 different escaping modes. escape_mode=0 (default) and escape_mode=2 happen to raise exceptions when a list or dict object is supplied as the assertion_value parameter. However, escape_mode=1 computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the python-ldap library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the ldap.filter.escape_filter_chars method to raise an exception when the supplied assertion_value parameter is not of type str.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In python-ldap <3.4.5, escape_filter_chars with escape_mode=1 can be bypassed by supplying a list or dict, enabling LDAP injection.
The vulnerability in python-ldap versions prior to 3.4.5 lies in the ldap.filter.escape_filter_chars function when used with the non-default escape_mode=1. While escape_mode=0 (default) and escape_mode=2 raise exceptions when a list or dict is supplied as the assertion_value, escape_mode=1 does not properly validate the input type, allowing a crafted non-string object to bypass escaping of special characters [1][3].
An attacker can exploit this by providing a list or dict (e.g., ["abc@*()/xyz"] or {"abc@*()/xyz": 1}) instead of a string. If an application uses escape_mode=1 to sanitize untrusted user input, the attacker can inject LDAP filter special characters, leading to LDAP injection [3].
Successful exploitation could allow the attacker to manipulate LDAP queries, potentially disclosing or modifying sensitive directory data that would otherwise be inaccessible [1][3].
The issue is fixed in version 3.4.5, which adds a type check at the start of escape_filter_chars to raise an exception if the assertion_value is not a string [4]. Users should upgrade to the latest version to mitigate this vulnerability.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
python-ldapPyPI | < 3.4.5 | 3.4.5 |
Affected products
2- Range: <3.4.5
- python-ldap/python-ldapv5Range: < 3.4.5
Patches
13957526fb185Merge commit from fork
2 files changed · +6 −0
Lib/ldap/filter.py+2 −0 modified@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,escape_mode=0): If 1 all NON-ASCII chars are escaped. If 2 all chars are escaped. """ + if not isinstance(assertion_value, str): + raise TypeError("assertion_value must be of type str.") if escape_mode: r = [] if escape_mode==1:
Tests/t_ldap_filter.py+4 −0 modified@@ -49,6 +49,10 @@ def test_escape_filter_chars_mode1(self): ), r'\c3\a4\c3\b6\c3\bc\c3\84\c3\96\c3\9c\c3\9f' ) + with self.assertRaises(TypeError): + escape_filter_chars(["abc@*()/xyz"], escape_mode=1) + with self.assertRaises(TypeError): + escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1) def test_escape_filter_chars_mode2(self): """
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r7r6-cc7p-4v5mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-61911ghsaADVISORY
- github.com/python-ldap/python-ldap/commit/3957526fb1852e84b90f423d9fef34c7af25b85aghsax_refsource_MISCWEB
- github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5ghsax_refsource_MISCWEB
- github.com/python-ldap/python-ldap/security/advisories/GHSA-r7r6-cc7p-4v5mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.