Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN071
_____________________________________________________________________

DATE                : 23/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running CPython.

=====================================================================
https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/
_____________________________________________________________________


[CVE-2025-12781] base64.b64decode() always accepts "+/" characters,
despite setting altchars


Seth Larson
21 janvier 2026 19:36

There is a MEDIUM severity vulnerability affecting CPython.

When passing data to the b64decode(), standard_b64decode(), and
urlsafe_b64decode() functions in the "base64" module the characters "+/"
will always be accepted, regardless of the value of "altchars" parameter,
typically used to establish an "alternative base64 alphabet" such as the
URL safe alphabet. This behavior matches what is recommended in earlier
base64 RFCs, but newer RFCs now recommend either dropping characters
outside the specified base64 alphabet or raising an error. The old behavior
has the possibility of causing data integrity issues.

This behavior can only be insecure if your application uses an alternate
base64 alphabet (without "+/"). If your application does not use the
"altchars" parameter or the urlsafe_b64decode() function, then your
application does not use an alternative base64 alphabet.

The attached patches DO NOT make the base64-decode behavior raise an error,
as this would be a change in behavior and break existing programs. Instead,
the patch deprecates the behavior which will be replaced with the newly
recommended behavior in a future version of Python. Users are recommended
to mitigate by verifying user-controlled inputs match the base64
alphabet they are expecting or verify that their application would not be
affected if the b64decode() functions accepted "+" or "/" outside of
altchars.

Please see the linked CVE ID for the latest information on affected
versions:

    https://www.cve.org/CVERecord?id=CVE-2025-12781
    https://github.com/python/cpython/pull/141128



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================