CVE-2025-12781 Overview
CVE-2025-12781 is an input validation vulnerability in Python's base64 module affecting the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions. The vulnerability allows the characters + and / to be accepted regardless of the value specified in the altchars parameter, which is typically used to establish an alternative base64 alphabet such as the URL-safe alphabet. This behavior, while consistent with older base64 RFCs, violates newer RFC recommendations that specify either dropping characters outside the specified base64 alphabet or raising an error.
Critical Impact
Applications using alternative base64 alphabets (without +/) may experience data integrity issues when processing user-controlled input that contains these standard base64 characters.
Affected Products
- Python CPython (versions using the base64 module with alternative alphabets)
- Applications using urlsafe_b64decode() function
- Applications using b64decode() with custom altchars parameter
Discovery Timeline
- 2026-01-21 - CVE CVE-2025-12781 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-12781
Vulnerability Analysis
The vulnerability exists in Python's base64 module where the decoding functions fail to properly enforce the alternative base64 alphabet when specified. When an application uses urlsafe_b64decode() or b64decode() with a custom altchars parameter to define an alternative alphabet (such as URL-safe encoding using -_ instead of +/), the standard base64 characters + and / are still accepted and processed. This type confusion (CWE-704) can lead to data integrity issues when applications rely on strict alphabet enforcement for security-sensitive operations.
The vulnerability is network-exploitable but requires specific conditions to be met: the target application must use an alternative base64 alphabet without the +/ characters, and the application must process user-controlled input through the affected decoding functions. Applications that do not use the altchars parameter or urlsafe_b64decode() function are not affected by this vulnerability.
Root Cause
The root cause is incorrect type coercion behavior in the base64 decoding implementation. The base64 module was designed to follow older RFC recommendations that were more permissive with character handling. However, newer RFCs now recommend stricter validation that either drops non-alphabet characters or raises errors. The current implementation maintains backward compatibility at the expense of proper input validation when alternative alphabets are specified, leading to potential data integrity violations.
Attack Vector
An attacker can exploit this vulnerability by providing base64-encoded data containing + and / characters to an application that expects URL-safe base64 encoding (which uses - and _ instead). When the application decodes this input using urlsafe_b64decode(), the standard characters are still processed, potentially leading to unexpected data being accepted. This could bypass input validation in applications that rely on the alternative alphabet for security purposes, such as token validation or signature verification.
A :exc:`binascii.Error` exception is raised
if *s* is incorrectly padded.
- If *validate* is ``False`` (the default), characters that are neither
+ If *validate* is false (the default), characters that are neither
in the normal base-64 alphabet nor the alternative alphabet are
- discarded prior to the padding check. If *validate* is ``True``,
- these non-alphabet characters in the input result in a
- :exc:`binascii.Error`.
+ discarded prior to the padding check, but the ``+`` and ``/`` characters
+ keep their meaning if they are not in *altchars* (they will be discarded
+ in future Python versions).
+ If *validate* is true, these non-alphabet characters in the input
+ result in a :exc:`binascii.Error`.
For more information about the strict base64 check, see :func:`binascii.a2b_base64`
- May assert or raise a :exc:`ValueError` if the length of *altchars* is not 2.
+ .. deprecated:: next
+ Accepting the ``+`` and ``/`` characters with an alternative alphabet
+ is now deprecated.
+
.. function:: standard_b64encode(s)
Source: GitHub CPython Commit
Detection Methods for CVE-2025-12781
Indicators of Compromise
- Presence of + or / characters in URL-safe base64 encoded inputs being processed by affected applications
- Unexpected data decoding results in applications using alternative base64 alphabets
- Log entries showing base64 decoded values containing characters outside the expected alternative alphabet
Detection Strategies
- Audit application code for usage of urlsafe_b64decode(), b64decode() with altchars, or standard_b64decode() functions
- Implement input validation to verify user-controlled base64 data matches the expected alphabet before decoding
- Review application logs for anomalous base64 decoding operations or data integrity failures
- Use static code analysis tools to identify potentially vulnerable base64 decoding patterns
Monitoring Recommendations
- Monitor application-level logs for data validation failures related to base64 processing
- Implement alerting for unexpected character sets in decoded base64 data within security-sensitive operations
- Review authentication and token validation systems that rely on URL-safe base64 encoding
How to Mitigate CVE-2025-12781
Immediate Actions Required
- Verify whether your application uses the altchars parameter with b64decode() or the urlsafe_b64decode() function
- Implement input validation to ensure user-controlled data matches the expected base64 alphabet before decoding
- Apply the available Python patches to enable deprecation warnings for the vulnerable behavior
- Review and update any security-sensitive code that relies on strict alternative base64 alphabet enforcement
Patch Information
Python has released patches that deprecate the vulnerable behavior. The patches do not immediately change the decoding behavior to avoid breaking existing programs, but issue deprecation warnings when + and / characters are accepted outside the specified alternative alphabet. The behavior will be replaced with stricter validation in future Python versions. Patches are available via multiple commits in the CPython repository, including commits 13360efd385d1a7d0659beba03787ea3d063ef9b, 1be80bec7960f5ccd059e75f3dfbd45fca302947, 9060b4abbe475591b6230b23c2afefeff26fcca5, e95e783dff443b68e8179fdb57737025bf02ba76, and fd17ee026fa9b67f6288cbafe374a3e479fe03a5. For more details, see the Python Security Announcement and GitHub Issue Discussion.
Workarounds
- Pre-validate all user-controlled base64 input against the expected alphabet before passing to decoding functions
- Use a custom decoding wrapper that explicitly rejects + and / characters when using alternative alphabets
- Enable the validate=True parameter in b64decode() calls to raise errors on non-alphabet characters
- Consider using third-party base64 libraries with stricter alphabet enforcement until Python updates the default behavior
# Workaround: Pre-validate URL-safe base64 input before decoding
import re
import base64
def safe_urlsafe_b64decode(data):
"""Decode URL-safe base64 with strict alphabet validation"""
# Reject standard base64 characters that should not be in URL-safe encoding
if isinstance(data, bytes):
data_str = data.decode('ascii')
else:
data_str = data
# Check for disallowed characters (+ and /)
if '+' in data_str or '/' in data_str:
raise ValueError("Input contains disallowed standard base64 characters")
return base64.urlsafe_b64decode(data)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
