EUVD-2025-200069
2025-12-01
[email protected]
5.5
CVSS 3.1
Share
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Lifecycle Timeline
4
Analysis Generated
Mar 15, 2026 - 13:34 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 13:34 euvd
EUVD-2025-200069
Patch Released
Mar 15, 2026 - 13:34 nvd
Patch available
CVE Published
Dec 01, 2025 - 18:16 nvd
MEDIUM 5.5
Description
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
Analysis
When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues
Technical Context
A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400).
Affected Products
Affected products: Python Python
Remediation
A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.
Priority Score
28
Low
Medium
High
Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0
Vendor Status
Ubuntu
Priority: Mediumpython2.7
| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| bionic | ignored | changes too intrusive |
| focal | ignored | changes too intrusive |
| jammy | ignored | changes too intrusive |
| trusty | ignored | changes too intrusive |
| xenial | ignored | changes too intrusive |
| upstream | needs-triage | - |
python3.4
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| trusty | ignored | changes too intrusive |
python3.5
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| trusty | released | 3.5.2-2ubuntu0~16.04.4~14.04.1+esm9 |
| xenial | released | 3.5.2-2ubuntu0~16.04.13+esm21 |
python3.6
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| bionic | released | 3.6.9-1~18.04ubuntu1.13+esm8 |
python3.7
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| bionic | released | 3.7.5-2ubuntu1~18.04.2+esm9 |
python3.8
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| bionic | released | 3.8.0-3ubuntu1~18.04.2+esm9 |
| focal | released | 3.8.10-0ubuntu1~20.04.18+esm5 |
python3.9
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| focal | released | 3.9.5-3ubuntu0~20.04.1+esm9 |
python3.10
| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| jammy | released | 3.10.12-1~22.04.14 |
python3.11
| Release | Status | Version |
|---|---|---|
| noble | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| jammy | released | 3.11.0~rc1-1~22.04.1~esm8 |
python3.12
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| plucky | DNE | - |
| questing | DNE | - |
| upstream | needs-triage | - |
| noble | released | 3.12.3-1ubuntu0.11 |
python3.13
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | ignored | end of life, was needs-triage |
| upstream | released | 3.13.11-1 |
| questing | released | 3.13.7-1ubuntu0.3 |
python3.14
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| upstream | released | 3.14.2-1 |
| questing | released | 3.14.0-1ubuntu0.2 |
Debian
Bug #1126782pypy3
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 7.3.5+dfsg-2+deb11u2 | - |
| bullseye (security) | vulnerable | 7.3.5+dfsg-2+deb11u5 | - |
| bookworm | vulnerable | 7.3.11+dfsg-2+deb12u3 | - |
| trixie | vulnerable | 7.3.19+dfsg-2 | - |
| forky, sid | vulnerable | 7.3.20+dfsg-4 | - |
| (unstable) | fixed | (unfixed) | - |
python3.11
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 3.11.2-6+deb12u6 | - |
| bookworm (security) | vulnerable | 3.11.2-6+deb12u3 | - |
| (unstable) | fixed | (unfixed) | - |
python3.13
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie | vulnerable | 3.13.5-2 | - |
| forky, sid | fixed | 3.13.12-1 | - |
| (unstable) | fixed | 3.13.11-1 | - |
python3.14
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| forky | fixed | 3.14.3-1 | - |
| sid | fixed | 3.14.3-2 | - |
| (unstable) | fixed | 3.14.2-1 | - |
python3.9
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 3.9.2-1+deb11u4 | - |
| bullseye (security) | fixed | 3.9.2-1+deb11u5 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).