Bug 2403230 (CVE-2025-61912)

Summary: CVE-2025-61912 python-ldap: python-ldap Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anthomas, bdettelb, doconnor, eglynn, ehelms, ggainey, haoli, hkataria, jajackso, jcammara, jjoyce, jmitchel, jneedle, jschluet, juwatts, kegrant, koliveir, kshier, lhh, lsvaty, mabashia, mburns, mgarciac, mhulan, nmoumoul, osousa, pbraun, pcreech, pgrist, rchan, shvarugh, simaishi, smallamp, smcdonal, stcannon, teagle, tfister, thavo, tmalecek, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability exists in the python-ldap's ldap.dn.escape_dn_chars() helper function, where the null byte (\x00) is improperly escaped by emitting a backslash followed by a literal NUL instead of the required RFC 4514 hex form \00. When this helper is used on untrusted input to build LDAP distinguished names (DNs), it may cause a client-side failure, before any communication with the LDAP server occurs. This results in a client side denial of service (DoS) for parts of the application that rely on the helper for DN construction.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2406989, 2406991, 2406992, 2406993, 2406994, 2406995, 2406996    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-10 23:01:59 UTC 
python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.