{"id":2888124,"name":"python-ldap","ecosystem":"pypi","description":"Python modules for implementing LDAP clients","homepage":"https://www.python-ldap.org/","licenses":"python-ldap","normalized_licenses":["Other"],"repository_url":"https://github.com/python-ldap/python-ldap","keywords_array":["ldap","directory","authentication"],"namespace":null,"versions_count":59,"first_release_published_at":"2011-02-19T15:43:06.000Z","latest_release_published_at":"2025-10-10T20:00:39.000Z","latest_release_number":"3.4.5","last_synced_at":"2026-04-20T18:12:50.471Z","created_at":"2022-04-10T12:21:08.297Z","updated_at":"2026-04-20T22:12:25.210Z","registry_url":"https://pypi.org/project/python-ldap/","install_command":"pip install python-ldap --index-url https://pypi.org/simple","documentation_url":"https://python-ldap.readthedocs.io/","metadata":{"funding":null,"documentation":"https://python-ldap.readthedocs.io/","classifiers":["Development Status :: 5 - Production/Stable","Intended Audience :: Developers","Intended Audience :: System Administrators","License :: OSI Approved :: Python Software Foundation License","Operating System :: MacOS :: MacOS X","Operating System :: Microsoft :: Windows","Operating System :: OS Independent","Operating System :: POSIX","Programming Language :: C","Programming Language :: Python","Programming Language :: Python :: 3","Programming Language :: Python :: 3.10","Programming Language :: Python :: 3.11","Programming Language :: Python :: 3.12","Programming Language :: Python :: 3.13","Programming Language :: Python :: 3.6","Programming Language :: Python :: 3.7","Programming Language :: Python :: 3.8","Programming Language :: Python :: 3.9","Topic :: Database","Topic :: Internet","Topic :: Software Development :: Libraries :: Python Modules","Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP"],"normalized_name":"python-ldap","project_status":null},"repo_metadata":{},"repo_metadata_updated_at":"2024-10-29T20:52:16.428Z","dependent_packages_count":109,"downloads":3657706,"downloads_period":"last-month","dependent_repos_count":2649,"rankings":{"downloads":0.30263964807223864,"dependent_repos_count":0.20713918196161377,"dependent_packages_count":0.1691668296313454,"stargazers_count":null,"forks_count":null,"docker_downloads_count":0.30074103045572514,"average":0.24492167253023073},"purl":"pkg:pypi/python-ldap","advisories":[{"uuid":"GSA_kwCzR0hTQS1wMzRoLXdxN2otaDV2Ns4ABNQ7","url":"https://github.com/advisories/GHSA-p34h-wq7j-h5v6","title":"python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination","description":"### Summary\n\n\n`ldap.dn.escape_dn_chars()` escapes `\\x00` incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form `\\00`. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service.\n\n\n\n### Details\n\n\n\nAffected function: `ldap.dn.escape_dn_chars(s)`\n\nFile: Lib/ldap/dn.py\n\nBuggy behavior:\nFor NUL, the function does:\n\n`s = s.replace('\\000', '\\\\\\000')  # backslash + literal NUL`\n\nThis produces Python strings which, when passed to python-ldap APIs (e.g., `add_s`, `modify_s`, r`ename_s`, or used as search bases), contain an embedded NUL. python-ldap then raises ValueError: embedded null character (or otherwise fails) before any network I/O.\nWith correct RFC-4514 encoding (`\\00`), the client proceeds and the server can apply its own syntax rules (e.g., AD will reject NUL in CN with result: 34), proving the failure originates in the escaping helper.\n\nWhy it matters: Projects follow the docs which state this function “should be used when building LDAP DN strings from arbitrary input.” The function’s guarantee is therefore relied upon as a safety API. A single NUL in attacker-controlled input reliably breaks client workflows (crash/unhandled exception, stuck retries, poison queue record), i.e., a DoS.\n\nStandards: RFC 4514 requires special characters and controls to be escaped using hex form; a literal NUL is not a valid DN character.\n\nMinimal fix: Escape NUL as hex:\n\n`s = s.replace('\\x00', r'\\00')`\n\n\n\n### PoC\n\nPrereqs: Any python-ldap install and a reachable LDAP server (for the second half). The first half (client-side failure) does not require a live server.\n\n```import ldap\nfrom ldap.dn import escape_dn_chars, str2dn\n\nl = ldap.initialize(\"ldap://10.0.1.11\")              # your lab DC/LDAP\nl.protocol_version = 3\nl.set_option(ldap.OPT_REFERRALS, 0)\nl.simple_bind_s(r\"DSEC\\dani.aga\", \"PassAa1\")         \n\n# --- Attacker-controlled value contains NUL ---\ncn = \"bad\\0name\"\nescaped_cn = escape_dn_chars(cn)\ndn = f\"CN={escaped_cn},OU=Users,DC=dsec,DC=local\"\nattrs = [('objectClass', [b'user']), ('sAMAccountName', [b'badsam'])]\n\nprint(\"=== BUGGY DN (contains literal NUL) ===\")\nprint(\"escaped_cn repr:\", repr(escaped_cn))\nprint(\"dn repr:\", repr(dn))\nprint(\"contains NUL?:\", \"\\x00\" in dn, \"at index:\", dn.find(\"\\x00\"))\n\nprint(\"=\u003e add_s(buggy DN): expected client-side failure (no server contact)\")\ntry:\n    l.add_s(dn, attrs)\n    print(\"add_s(buggy): succeeded (unexpected)\")\nexcept Exception as e:\n    print(\"add_s(buggy):\", type(e).__name__, e)  # ValueError: embedded null character\n\n# --- Correct hex escape demonstrates the client proceeds to the server ---\nsafe_dn = dn.replace(\"\\x00\", r\"\\00\")                 # RFC 4514-compliant\nprint(\"\\n=== HEX-ESCAPED DN (\\\\00) ===\")\nprint(\"safe_dn repr:\", repr(safe_dn))\nprint(\"=\u003e sanity parse:\", str2dn(safe_dn))           # parses locally\n\nprint(\"=\u003e add_s(safe DN): reaches server (AD will likely reject with 34)\")\ntry:\n    l.add_s(safe_dn, attrs)\n    print(\"add_s(safe): success (unlikely without required attrs/rights)\")\nexcept ldap.LDAPError as e:\n    print(\"add_s(safe):\", e.__class__.__name__, e)  # e.g., result 34 Invalid DN syntax (AD forbids NUL in CN)\n```\n\nObserved result (example):\n\n`add_s(buggy): ValueError embedded null character` ← client-side DoS\n\n`add_s(safe): INVALID_DN_SYNTAX (result 34, BAD_NAME)` ← request reached server; rejection due to server policy, not client bug\n\n\n### Impact\n\nType: Denial of Service (client-side).\n\nWho is impacted: Any application that uses ldap.dn.escape_dn_chars() to build DNs from (partially) untrusted input—e.g., user `creation/rename tools`, `sync/ETL jobs`, portals allowing self-service attributes, device onboarding, batch imports. A single crafted value with `\\x00` reliably forces exceptions/failures and can crash handlers or jam pipelines with poison records.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2025-10-10T22:53:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.5,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P","references":["https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6","https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f","https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5","https://nvd.nist.gov/vuln/detail/CVE-2025-61912","https://github.com/advisories/GHSA-p34h-wq7j-h5v6"],"source_kind":"github","identifiers":["GHSA-p34h-wq7j-h5v6","CVE-2025-61912"],"repository_url":"https://github.com/python-ldap/python-ldap","blast_radius":18.82695077063477,"created_at":"2025-10-10T23:00:09.536Z","updated_at":"2026-04-05T20:02:07.935Z","epss_percentage":0.00139,"epss_percentile":0.3376,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMzRoLXdxN2otaDV2Ns4ABNQ7","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wMzRoLXdxN2otaDV2Ns4ABNQ7","packages":[{"ecosystem":"pypi","package_name":"python-ldap","versions":[{"first_patched_version":"3.4.5","vulnerable_version_range":"\u003c 3.4.5"}],"purl":"pkg:pypi/python-ldap"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wMzRoLXdxN2otaDV2Ns4ABNQ7/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1yN3I2LWNjN3AtNHY1bc4ABNQ6","url":"https://github.com/advisories/GHSA-r7r6-cc7p-4v5m","title":"python-ldap has sanitization bypass in ldap.filter.escape_filter_chars","description":"### Summary\nThe sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured.\n\n### Details\nThe method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` happily computes without performing adequate logic to ensure a fully escaped return value.\n\n### PoC\n```\n\u003e\u003e\u003e import ldap.filter\n```\n**Exploitable**\n```\n\u003e\u003e\u003e ldap.filter.escape_filter_chars([\"abc@*()/xyz\"], escape_mode=1)\n'abc@*()/xyz'\n\u003e\u003e\u003e ldap.filter.escape_filter_chars({\"abc@*()/xyz\": 1}, escape_mode=1)\n'abc@*()/xyz'\n```\n**Not exploitable**\n```\n\u003e\u003e\u003e ldap.filter.escape_filter_chars(\"abc@*()/xyz\", escape_mode=1)\n'abc@\\\\2a\\\\28\\\\29\\\\2fxyz'\n\u003e\u003e\u003e ldap.filter.escape_filter_chars([\"abc@*()/xyz\"], escape_mode=0)\nTraceback (most recent call last):\n  File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n  File \"/usr/local/lib64/python3.12/site-packages/ldap/filter.py\", line 41, in escape_filter_chars\n    s = assertion_value.replace('\\\\', r'\\5c')\n        ^^^^^^^^^^^^^^^^^^^^^^^\nAttributeError: 'list' object has no attribute 'replace'\n\u003e\u003e\u003e ldap.filter.escape_filter_chars([\"abc@*()/xyz\"], escape_mode=2)\nTraceback (most recent call last):\n  File \"\u003cstdin\u003e\", line 1, in \u003cmodule\u003e\n  File \"/usr/local/lib64/python3.12/site-packages/ldap/filter.py\", line 36, in escape_filter_chars\n    r.append(\"\\\\%02x\" % ord(c))\n                        ^^^^^^\nTypeError: ord() expected a character, but string of length 11 found\n```\n### Impact\nIf an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them.\n\nWith Python being a dynamically typed language, and the commonly used `JSON` format supporting `list` and `dict`, it is to be expected that Python applications may commonly forward unchecked and potentially malicious `list` and `dict` objects to the vulnerable sanitization method.\n\nThe vulnerable `escape_mode=1` configuration does not appear to be widely used.\n\n### Suggested Fix\nAdd a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2025-10-10T22:51:28.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":5.5,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:P","references":["https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r7r6-cc7p-4v5m","https://github.com/python-ldap/python-ldap/commit/3957526fb1852e84b90f423d9fef34c7af25b85a","https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5","https://nvd.nist.gov/vuln/detail/CVE-2025-61911","https://github.com/advisories/GHSA-r7r6-cc7p-4v5m"],"source_kind":"github","identifiers":["GHSA-r7r6-cc7p-4v5m","CVE-2025-61911"],"repository_url":"https://github.com/python-ldap/python-ldap","blast_radius":18.82695077063477,"created_at":"2025-10-10T23:00:09.695Z","updated_at":"2026-04-20T22:02:19.579Z","epss_percentage":0.00039,"epss_percentile":0.11436,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yN3I2LWNjN3AtNHY1bc4ABNQ6","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1yN3I2LWNjN3AtNHY1bc4ABNQ6","packages":[{"ecosystem":"pypi","package_name":"python-ldap","versions":[{"first_patched_version":"3.4.5","vulnerable_version_range":"\u003c 3.4.5"}],"purl":"pkg:pypi/python-ldap"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yN3I2LWNjN3AtNHY1bc4ABNQ6/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1xZnI1LXdqcHctcTRjNM4AAruV","url":"https://github.com/advisories/GHSA-qfr5-wjpw-q4c4","title":"Denial of Service in python-ldap","description":"python-ldap before 3.4.0 is vulnerable to a denial of service when ldap.schema is used for untrusted schema definitions, because of a regular expression denial of service (ReDoS) flaw in the LDAP schema parser. By sending crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-06-19T00:00:21.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm","https://nvd.nist.gov/vuln/detail/CVE-2021-46823","https://exchange.xforce.ibmcloud.com/vulnerabilities/221507","https://github.com/advisories/GHSA-qfr5-wjpw-q4c4"],"source_kind":"github","identifiers":["GHSA-qfr5-wjpw-q4c4","CVE-2021-46823"],"repository_url":"https://github.com/python-ldap/python-ldap","blast_radius":0.0,"created_at":"2022-12-21T16:12:18.263Z","updated_at":"2026-04-20T22:07:58.104Z","epss_percentage":0.00188,"epss_percentile":0.40632,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZnI1LXdqcHctcTRjNM4AAruV","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1xZnI1LXdqcHctcTRjNM4AAruV","packages":[{"ecosystem":"pypi","package_name":"python-ldap","versions":[{"first_patched_version":"3.4.0","vulnerable_version_range":"\u003c 3.4.0"}],"purl":"pkg:pypi/python-ldap"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xZnI1LXdqcHctcTRjNM4AAruV/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1yOHdxLXFyeGMtaG1jbc0YMg","url":"https://github.com/advisories/GHSA-r8wq-qrxc-hmcm","title":"ReDoS in LDAP schema parser","description":"https://github.com/python-ldap/python-ldap/issues/424\n\n### Impact\nThe LDAP schema parser of python-ldap 3.3.1 and earlier are vulnerable to a regular expression denial-of-service attack. The issue affects clients that use ``ldap.schema`` package to parse LDAP schema definitions from an untrusted source.\n\n### Patches\nThe upcoming release of python-ldap 3.4.0 will contain a workaround to prevent ReDoS attacks. The schema parser refuses schema definitions with an excessive amount of backslashes.\n\n### Workarounds\nAs a workaround, users can check input for excessive amount of backslashes in schemas. More than a dozen backslashes per line are atypical.\n\n### References\n[CWE-1333](https://cwe.mitre.org/data/definitions/1333.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [python-ldap](https://github.com/python-ldap/python-ldap) tracker\n","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-11-29T17:58:59.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm","https://github.com/python-ldap/python-ldap/issues/424","https://github.com/advisories/GHSA-r8wq-qrxc-hmcm"],"source_kind":"github","identifiers":["GHSA-r8wq-qrxc-hmcm"],"repository_url":"https://github.com/python-ldap/python-ldap","blast_radius":0.0,"created_at":"2022-12-21T16:12:41.723Z","updated_at":"2026-04-20T22:10:06.666Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOHdxLXFyeGMtaG1jbc0YMg","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1yOHdxLXFyeGMtaG1jbc0YMg","packages":[{"ecosystem":"pypi","package_name":"python-ldap","versions":[{"first_patched_version":"3.4.0","vulnerable_version_range":"\u003c 3.4.0"}],"purl":"pkg:pypi/python-ldap"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOHdxLXFyeGMtaG1jbc0YMg/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/pypi/python-ldap","docker_dependents_count":503,"docker_downloads_count":438397734,"usage_url":"https://repos.ecosyste.ms/usage/pypi/python-ldap","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/pypi/python-ldap/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-ldap/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-ldap/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-ldap/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-ldap/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/python-ldap/codemeta","maintainers":[{"uuid":"encukou","login":"encukou","name":null,"email":null,"url":null,"packages_count":42,"html_url":"https://pypi.org/user/encukou/","role":null,"created_at":"2023-02-23T00:09:40.931Z","updated_at":"2023-02-23T00:09:40.931Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/encukou/packages"},{"uuid":"droideck","login":"droideck","name":null,"email":null,"url":null,"packages_count":4,"html_url":"https://pypi.org/user/droideck/","role":null,"created_at":"2023-02-23T00:09:40.801Z","updated_at":"2023-02-23T00:09:40.801Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/droideck/packages"},{"uuid":"mistotebe","login":"mistotebe","name":null,"email":null,"url":null,"packages_count":1,"html_url":"https://pypi.org/user/mistotebe/","role":null,"created_at":"2023-02-23T00:09:41.133Z","updated_at":"2023-02-23T00:09:41.133Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/mistotebe/packages"},{"uuid":"osuchw","login":"osuchw","name":null,"email":null,"url":null,"packages_count":1,"html_url":"https://pypi.org/user/osuchw/","role":null,"created_at":"2023-02-23T00:09:41.157Z","updated_at":"2023-02-23T00:09:41.157Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/pypi.org/maintainers/osuchw/packages"}]}