advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

GHSA-xqrq-4mgf-ff32 (CVE-2025-50817) is invalid

Open keysmashes opened this issue 3 months ago • 2 comments

This CVE refers to the following line of code as having a vulnerability: https://github.com/PythonCharmers/python-future/blob/2d56f83adab5a0957cfc5abbe62db1e2d1912b61/src/future/standard_library/init.py#L491

That line of code is import test; in the reporters' words:

When loading the future module, test.py is automatically imported and executed

...but that's what an import statement is meant to do. This one imports the stdlib test module: https://docs.python.org/3/library/test.html, unless you have a test.py somewhere in your sys.path (e.g. in the working directory). There's nothing unique about this particular import that could be described as a vulnerability – every python import statement uses the same machinery and could import the wrong file (e.g. os.py, platform.py) if you have one lying around.

Obviously, if your notional attacker is able to write python files to arbitrary parts of the filesystem, then you have a problem. That is not caused by python-future!

See https://github.com/PythonCharmers/python-future/issues/650#issuecomment-3251016598 for further details.

keysmashes avatar Sep 11 '25 13:09 keysmashes

👋 @keysmashes,

Thank you for bringing this to our attention. GitHub is not the assigning CNA for CVE-2025-50817. To dispute the CVE, you need to contact MITRE (the assigning CNA) through their web from.

Let me know if there anything else I can help with.

JonathanLEvans avatar Sep 11 '25 14:09 JonathanLEvans

Please update this vulnerability to reflect that MITRE has now marked it as disputed. https://www.cve.org/CVERecord?id=CVE-2025-50817

mwpeterson avatar Sep 30 '25 17:09 mwpeterson

Closing this issue as the advisory has since been withdrawn: https://github.com/advisories/GHSA-xqrq-4mgf-ff32

taladrane avatar Dec 22 '25 17:12 taladrane