CVE-2025-61912
Publication date 10 October 2025
Last updated 20 October 2025
Ubuntu priority
Description
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-ldap | 25.10 questing |
Fixed 3.4.4-1ubuntu0.25.10.1
|
| 25.04 plucky |
Fixed 3.4.4-1ubuntu0.25.04.1
|
|
| 24.04 LTS noble |
Fixed 3.4.4-1ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 3.2.0-4ubuntu7.2
|
|
| 20.04 LTS focal |
Fixed 3.2.0-4ubuntu2.1+esm1
|
|
| 18.04 LTS bionic |
Fixed 3.0.0-1ubuntu0.2+esm1
|
|
| 16.04 LTS xenial |
Fixed 2.4.22-0.1ubuntu0.1~esm1
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialReferences
Related Ubuntu Security Notices (USN)
- USN-7828-1
- Python LDAP vulnerabilities
- 20 October 2025
Other references
- https://www.cve.org/CVERecord?id=CVE-2025-61912
- https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6
- https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f (main)
- https://github.com/python-ldap/python-ldap/commit/9f5b2effbafdf7af0e7064a7aa42d2739d373bd7 (python-ldap-3.4.5)
- https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f
- https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5