CVE-2025-15367

The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

CVSS

No CVSS.

References

Link	Resource
https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7
https://github.com/python/cpython/issues/143923
https://github.com/python/cpython/pull/143924
https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El módulo poplib, cuando se le pasa un comando controlado por el usuario, puede tener comandos adicionales inyectados usando saltos de línea. La mitigación rechaza comandos que contienen caracteres de control.

20 Jan 2026, 23:16

Type	Values Removed	Values Added
References		() https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7 -

20 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-20 22:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-15367

Mitre link : CVE-2025-15367

CVE.ORG link : CVE-2025-15367

JSON object : View

Products Affected

No product.

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2025-15367", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cna@python.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-20T22:15:51.153", "references": [{"url": "https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/issues/143923", "source": "cna@python.org"}, {"url": "https://github.com/python/cpython/pull/143924", "source": "cna@python.org"}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/", "source": "cna@python.org"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "cna@python.org", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "The poplib module, when passed a user-controlled command, can have\nadditional commands injected using newlines. Mitigation rejects commands\ncontaining control characters."}, {"lang": "es", "value": "El m\u00f3dulo poplib, cuando se le pasa un comando controlado por el usuario, puede tener comandos adicionales inyectados usando saltos de l\u00ednea. La mitigaci\u00f3n rechaza comandos que contienen caracteres de control."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cna@python.org"}