Skip to content

Sanitization bypass in ldap.filter.escape_filter_chars

Low
droideck published GHSA-r7r6-cc7p-4v5m Oct 10, 2025

Package

pip python-ldap (pip)

Affected versions

< 3.4.5

Patched versions

None

Description

Summary

The sanitization method ldap.filter.escape_filter_chars can be tricked to skip escaping of special characters when a crafted list or dict is supplied as the assertion_value parameter, and the non-default escape_mode=1 is configured.

Details

The method ldap.filter.escape_filter_chars supports 3 different escaping modes. escape_mode=0 (default) and escape_mode=2 happen to raise exceptions when a list or dict object is supplied as the assertion_value parameter. However, escape_mode=1 happily computes without performing adequate logic to ensure a fully escaped return value.

PoC

>>> import ldap.filter

Exploitable

>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=1)
'abc@*()/xyz'
>>> ldap.filter.escape_filter_chars({"abc@*()/xyz": 1}, escape_mode=1)
'abc@*()/xyz'

Not exploitable

>>> ldap.filter.escape_filter_chars("abc@*()/xyz", escape_mode=1)
'abc@\\2a\\28\\29\\2fxyz'
>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=0)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.12/site-packages/ldap/filter.py", line 41, in escape_filter_chars
    s = assertion_value.replace('\\', r'\5c')
        ^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'list' object has no attribute 'replace'
>>> ldap.filter.escape_filter_chars(["abc@*()/xyz"], escape_mode=2)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib64/python3.12/site-packages/ldap/filter.py", line 36, in escape_filter_chars
    r.append("\\%02x" % ord(c))
                        ^^^^^^
TypeError: ord() expected a character, but string of length 11 found

Impact

If an application relies on the vulnerable method in the python-ldap library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them.
With Python being a dynamically typed language, and the commonly used JSON format supporting list and dict, it is to be expected that Python applications may commonly forward unchecked and potentially malicious list and dict objects to the vulnerable sanitization method.
Luckily the vulnerable escape_mode=1 configuration does not appear to be widely used.

Suggested Fix

Add a type check at the start of the ldap.filter.escape_filter_chars method to raise an exception when the supplied assertion_value parameter is not of type str.

Severity

Low

CVE ID

CVE-2025-61911

Weaknesses

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

The product does not adequately filter user-controlled input for special elements with control implications. Learn more on MITRE.

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. Learn more on MITRE.

Credits