Moderate severityNVD Advisory· Published Oct 10, 2025· Updated Oct 14, 2025

python-ldap Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination

CVE-2025-61912

Description

python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

python-ldap before 3.4.5 incorrectly escapes NUL bytes in DN strings, causing client-side denial of service.

Vulnerability

The ldap.dn.escape_dn_chars() function in python-ldap prior to version 3.4.5 escapes the NUL byte (\x00) incorrectly. Instead of producing the RFC-4514 compliant hex form \00, it emits a backslash followed by a literal NUL byte [1][3]. This violates the LDAP standard, which requires special characters and control bytes to be escaped using hex notation.

Exploitation

Any application that uses escape_dn_chars() to construct Distinguished Names (DNs) from untrusted input is affected. An attacker can provide a string containing a NUL byte (e.g., "bad\0name"). When processed by the vulnerable function, the resulting DN contains an embedded null character. Subsequently, when the DN is passed to python-ldap APIs (such as add_s, modify_s, or used as a search base), a ValueError: embedded null character is raised before any network I/O occurs [3]. No LDAP server interaction is required for the failure; it happens entirely on the client side.

Impact

Successful exploitation results in a client-side denial of service. The application consistently fails with an unhandled exception, leading to crashes, stuck retry loops, or poisoned queue records. This can disrupt services that rely on LDAP operations (e.g., authentication, directory lookups) [1][3].

Mitigation

The issue is fixed in python-ldap version 3.4.5, released on 2025-10-10 [4]. Users should upgrade to this version or later. No workaround is available other than patching, as the function is intended to be a safe helper for escaping DN components.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
python-ldapPyPI	< 3.4.5	3.4.5

Affected products

Python (programming language)/Pythonllm-fuzzy
Range: <3.4.5
python-ldap/python-ldapv5
Range: < 3.4.5

Patches

6ea80326a34e

Merge commit from fork

https://github.com/python-ldap/python-ldapSimon PichuginOct 10, 2025via ghsa

commit

2 files changed · +3 −2

Lib/ldap/dn.py+2 −1 modified

@@ -26,7 +26,8 @@ def escape_dn_chars(s):
     s = s.replace('>' ,'\\>')
     s = s.replace(';' ,'\\;')
     s = s.replace('=' ,'\\=')
-    s = s.replace('\000' ,'\\\000')
+    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
+    s = s.replace('\x00' ,'\\00')
     if s[-1]==' ':
       s = ''.join((s[:-1],'\\ '))
     if s[0]=='#' or s[0]==' ':

Tests/t_ldap_dn.py+1 −1 modified

@@ -49,7 +49,7 @@ def test_escape_dn_chars(self):
         self.assertEqual(ldap.dn.escape_dn_chars(' '), r'\ ')
         self.assertEqual(ldap.dn.escape_dn_chars('  '), r'\ \ ')
         self.assertEqual(ldap.dn.escape_dn_chars('foobar '), r'foobar\ ')
-        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), 'f\\+o\\>o\\,b\\<a\\;r\\=\\"\\\x00\\"')
+        self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,b<a;r="\00"'), r'f\+o\>o\,b\<a\;r\=\"\00\"')
         self.assertEqual(ldap.dn.escape_dn_chars(r'foo\,bar'), r'foo\\\,bar')
 
     def test_str2dn(self):

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p34h-wq7j-h5v6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-61912ghsaADVISORY
github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3fghsax_refsource_MISCWEB
github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5ghsax_refsource_MISCWEB
github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000