CVE-2025-22153
published 2025-01-23CVE-2025-22153: RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type…
PriorityP343high7.9CVSS 3.1
AVNACHPRHUINSCCHIHAL
EPSS
0.39%
30.6th percentile
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`, RestrictedPython starting in version 6.0 and prior to version 8.0 could be bypassed. The issue is patched in version 8.0 of RestrictedPython by removing support for `try/except*` clauses. No known workarounds are available.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | restrictedpython | < restrictedpython 8.0-1 (forky) | restrictedpython 8.0-1 (forky) |
| zopefoundation | restrictedpython | — | — |
| zopefoundation | restrictedpython | >= 0 < 8.0-1 | 8.0-1 |
| zopefoundation | restrictedpython | >= 0 < 8.0-1 | 8.0-1 |
| zopefoundation | restrictedpython | >= 0 < 4.0~b3-2ubuntu0.1~esm1 | 4.0~b3-2ubuntu0.1~esm1 |
| zopefoundation | restrictedpython | >= 0 < 4.0~b3-3ubuntu0.1~esm1 | 4.0~b3-3ubuntu0.1~esm1 |
| zopefoundation | restrictedpython | >= 0 < 6.2-1ubuntu0.24.04.1~esm1 | 6.2-1ubuntu0.24.04.1~esm1 |
| zopefoundation | restrictedpython | >= 6.0 < 8.0 | 8.0 |
CVSS provenance
nvdv3.17.9HIGHCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
osv9.9CRITICAL
vendor_ubuntu8.4HIGH
vendor_debian7.9LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
RestrictedPython vulnerabilities
vendor_ubuntu·2025-03-18·CVSS 8.4
CVE-2023-37271 [HIGH] RestrictedPython vulnerabilities
Title: RestrictedPython vulnerabilities
Summary: Several security issues were fixed in RestrictedPython.
Nakul Choudhary and Robert Xiao discovered that RestrictedPython did not
properly sanitize certain inputs. An attacker could possibly use this
issue to execute arbitrary code. This issue only affected
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-37271)
Abhishek Govindarasu, Ankush Menat and Ward Theunisse discovered that
RestrictedPython did not correctly handle certain format strings. An
attacker could possibly use this issue to leak sensitive information.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-41039)
It was discovered that RestrictedPython did not correctly restrict access
to certain fields. An attacker could possibly use this issue to leak
s
Debian
CVE-2025-22153: restrictedpython - RestrictedPython is a tool that helps to define a subset of the Python language ...
vendor_debian·2025·CVSS 7.9
CVE-2025-22153 [HIGH] CVE-2025-22153: restrictedpython - RestrictedPython is a tool that helps to define a subset of the Python language ...
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`, RestrictedPython starting in version 6.0 and prior to version 8.0 could be bypassed. The issue is patched in version 8.0 of RestrictedPython by removing support for `try/except*` clauses. No known workarounds are available.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 8.0-1)
sid: resolved (fixed in 8.0-1)
trixie: resolved (fixed in 8.0-1)
OSV
restrictedpython vulnerabilities
osv·2025-03-18·CVSS 9.9
CVE-2023-37271 [CRITICAL] restrictedpython vulnerabilities
restrictedpython vulnerabilities
Nakul Choudhary and Robert Xiao discovered that RestrictedPython did not
properly sanitize certain inputs. An attacker could possibly use this
issue to execute arbitrary code. This issue only affected
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2023-37271)
Abhishek Govindarasu, Ankush Menat and Ward Theunisse discovered that
RestrictedPython did not correctly handle certain format strings. An
attacker could possibly use this issue to leak sensitive information.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2023-41039)
It was discovered that RestrictedPython did not correctly restrict access
to certain fields. An attacker could possibly use this issue to leak
sensitive information. (CVE-2024-47532)
It was discovered that Restricted
OSV
try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
osv·2025-01-23
CVE-2025-22153 [HIGH] try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
### Impact
Via a type confusion bug in the CPython interpreter when using `try/except*` RestrictedPython could be bypassed.
We believe this should be fixed upstream in Python itself until that we remove support for `try/except*` from RestrictedPython.
(It has been fixed for some Python versions.)
### Patches
Patched in version 8.0 by removing support for `try/except*` clauses
### Workarounds
There is no workaround.
### References
none
GHSA
try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
ghsa·2025-01-23
CVE-2025-22153 [HIGH] CWE-843 try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
### Impact
Via a type confusion bug in the CPython interpreter when using `try/except*` RestrictedPython could be bypassed.
We believe this should be fixed upstream in Python itself until that we remove support for `try/except*` from RestrictedPython.
(It has been fixed for some Python versions.)
### Patches
Patched in version 8.0 by removing support for `try/except*` clauses
### Workarounds
There is no workaround.
### References
none
OSV
CVE-2025-22153: RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment
osv·2025-01-23·CVSS 7.9
CVE-2025-22153 [HIGH] CVE-2025-22153: RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`, RestrictedPython starting in version 6.0 and prior to version 8.0 could be bypassed. The issue is patched in version 8.0 of RestrictedPython by removing support for `try/except*` clauses. No known workarounds are available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-23
Published