CVE-2025-12781Incorrect Type Conversion or Cast in Software Foundation Cpython

CWE-704Incorrect Type Conversion or CastCWE-20Improper Input Validation7 documents7 sources
Severity
6.3MEDIUMNVD
EPSS
0.0%
top 95.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Python Software Foundation CpythonPython
Timeline
PublishedJan 21

Description

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDpython/python3.14.03.14.1+2
CVEListV5python_software_foundation/cpython3.14.03.14.1+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2025-12781: When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always b2026-01-21
GHSA
GHSA-hfpw-x3fg-wmmg: When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always b2026-01-21
CVEList
base64.b64decode() always accepts "+/" characters, despite setting altchars2026-01-21

📋Vendor Advisories

2
Red Hat
cpython: base64.b64decode() always accepts "+/" characters, despite setting altchars2026-01-21
Debian
CVE-2025-12781: pypy3 - When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decod...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-12781 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-12781 — Incorrect Type Conversion or Cast | cvebase