CVE-2025-22153
Published: 23 January 2025
Description
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Via a type confusion bug in versions of the CPython interpreter starting in 3.11 and prior to 3.13.2 when using `try/except*`, RestrictedPython starting in version 6.0 and prior to version 8.0 could be bypassed. The issue is patched in version 8.0 of RestrictedPython by removing support for `try/except*` clauses. No known workarounds are available.
Security Summary
CVE-2025-22153 is a type confusion vulnerability stemming from a bug in the CPython interpreter versions 3.11 through 3.13.1, specifically when handling `try/except*` clauses. This flaw enables bypass of RestrictedPython, a tool designed to enforce a restricted subset of the Python language for safely executing untrusted program input in trusted environments. The issue affects RestrictedPython versions from 6.0 up to but not including 8.0 when used with the vulnerable CPython range, and is classified under CWE-843 (Type Confusion).
Exploitation requires high privileges (PR:H) and high attack complexity (AC:H), but can occur over the network (AV:N) with no user interaction (UI:N). Successful attacks change scope (S:C), granting high confidentiality and integrity impacts (C:H/I:H) alongside low availability impact (A:L), for an overall CVSS v3.1 score of 7.9. An attacker with elevated access could craft malicious Python code using `try/except*` to evade RestrictedPython's restrictions, potentially executing unauthorized operations within the sandboxed environment.
The vulnerability is addressed in RestrictedPython version 8.0, which patches the issue by removing support for `try/except*` clauses entirely. No workarounds are available. Details are provided in the RestrictedPython security advisory (GHSA-gmj9-h825-chq2) and the patching commit (48a92c5bb617a647cffd0dadd4d5cfe626bcdb2f).
Details
- CWE(s)