CVE-2025-22153 Overview
CVE-2025-22153 is a type confusion vulnerability in RestrictedPython, a security tool designed to define a safe subset of the Python language for use in trusted execution environments. This vulnerability allows attackers to bypass the RestrictedPython sandbox by exploiting a type confusion bug in CPython's try/except* exception handling mechanism.
RestrictedPython is commonly used in applications that need to execute untrusted Python code safely, such as content management systems, plugin frameworks, and multi-tenant platforms. The sandbox escape capability of this vulnerability undermines the fundamental security guarantees that RestrictedPython provides, potentially allowing malicious code to escape containment and execute arbitrary operations in the host environment.
Critical Impact
Attackers can bypass RestrictedPython's sandbox restrictions through a type confusion bug in CPython 3.11+ when using try/except* clauses, potentially gaining unrestricted code execution in trusted environments.
Affected Products
- RestrictedPython versions 6.0 through 7.x (prior to version 8.0)
- CPython versions 3.11 through 3.13.1 (prior to 3.13.2)
- Applications using RestrictedPython for sandboxed Python code execution
Discovery Timeline
- 2025-01-23 - CVE-2025-22153 published to NVD
- 2025-01-23 - Last updated in NVD database
Technical Details for CVE-2025-22153
Vulnerability Analysis
This vulnerability stems from a type confusion bug (CWE-843) in the CPython interpreter's implementation of the try/except* syntax, which was introduced in Python 3.11 as part of PEP 654 for handling exception groups. RestrictedPython added support for this feature in version 6.0, inadvertently creating an attack vector that allows sandbox escape.
The type confusion occurs during exception handling in the try/except* construct, where the interpreter incorrectly handles object types in a way that can be exploited to circumvent RestrictedPython's access controls. This allows an attacker to craft malicious code that appears compliant with RestrictedPython's restrictions but can break out of the sandbox when executed.
The attack requires network access and elevated privileges, with high complexity due to the specific conditions needed to trigger the type confusion. However, successful exploitation can have severe consequences, including unauthorized access to protected resources and arbitrary code execution outside the sandbox boundary.
Root Cause
The root cause is a type confusion vulnerability in CPython's exception group handling mechanism. When RestrictedPython version 6.0 added support for try/except* clauses to maintain compatibility with Python 3.11+, it inherited this underlying interpreter bug. The RestrictedPython security checks do not adequately handle the type confusion scenario, allowing specially crafted exception handling code to bypass the sandbox's restrictions.
Attack Vector
The attack vector is network-based, requiring the attacker to submit malicious Python code to an application that uses RestrictedPython for sandboxed execution. The attacker must craft code that:
- Utilizes the try/except* syntax introduced in Python 3.11
- Triggers the type confusion condition in the CPython interpreter
- Leverages the confused type state to escape RestrictedPython's access controls
The exploitation chain requires elevated privileges within the target application context and has high attack complexity due to the precise conditions required to trigger the vulnerability.
Changes
=======
-7.5 (unreleased)
+8.0 (unreleased)
----------------
+Backwards incompatible changes
+++++++++++++++++++++++++++++++
+
+- Disallow ``try/except*`` clauses due to a possible sandbox escape and
+ probable uselessness of this feature in the context of ``RestrictedPython``.
+ In addition, remove ``ExceptionGroup`` from ``safe_builtins`` (as useful only
+ with ``try/except*``). - This feature was introduced into
+ ``RestrictedPython`` in version 6.0 for Python 3.11+. (CVE-2025-22153)
+
- Drop support for Python 3.8.
+Features
+++++++++
+
- Update setuptools version pin.
(`#292 <https://github.com/zopefoundation/RestrictedPython/issues/292>`_)
Source: GitHub Commit
Detection Methods for CVE-2025-22153
Indicators of Compromise
- Presence of try/except* syntax in submitted or executed Python code within RestrictedPython sandboxes
- Unexpected access to system resources or protected builtins from sandboxed code execution
- Anomalous exception handling patterns involving ExceptionGroup objects in application logs
- Evidence of code execution outside expected sandbox boundaries
Detection Strategies
- Monitor RestrictedPython execution logs for code containing try/except* patterns
- Implement static analysis scanning of submitted Python code for exception group syntax before execution
- Deploy runtime monitoring to detect sandbox escape attempts or unauthorized resource access
- Use SentinelOne's behavioral AI to identify anomalous code execution patterns indicating sandbox bypass
Monitoring Recommendations
- Enable detailed logging for all RestrictedPython code compilation and execution events
- Alert on any use of ExceptionGroup or try/except* syntax in sandboxed environments
- Monitor for process behavior anomalies that may indicate successful sandbox escape
- Track network connections and file system access from processes running sandboxed code
How to Mitigate CVE-2025-22153
Immediate Actions Required
- Upgrade RestrictedPython to version 8.0 or later immediately
- Audit all deployed applications using RestrictedPython for affected versions
- If immediate upgrade is not possible, consider temporarily disabling sandboxed code execution features
- Review application logs for any suspicious code submissions containing try/except* patterns
Patch Information
The RestrictedPython maintainers have addressed this vulnerability in version 8.0 by completely removing support for try/except* clauses and removing ExceptionGroup from the safe_builtins collection. The patch commit 48a92c5bb617a647cffd0dadd4d5cfe626bcdb2f implements these changes.
For detailed patch information, refer to the GitHub Security Advisory and the patch commit.
Workarounds
- No known workarounds are available according to the vendor advisory
- The only recommended mitigation is upgrading to RestrictedPython version 8.0 or later
- Organizations unable to upgrade should consider temporarily suspending features that execute untrusted Python code
# Upgrade RestrictedPython to the patched version
pip install --upgrade RestrictedPython>=8.0
# Verify installed version
pip show RestrictedPython | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
