Wiz
Vulnerability DatabaseCVE-2021-29921

CVE-2021-29921
Python vulnerability analysis and mitigation

Overview

In Python before 3.9.5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. The vulnerability was introduced in Python 3.8.0 when the library was modified to accept leading zeros in IP address octets. This change was later identified as a security issue since it could allow attackers to bypass access control that is based on IP addresses (MITRE CVE, Python Security).

Technical details

The vulnerability exists in the ipaddress library's handling of IPv4 address strings containing octets with leading zeros. Rather than rejecting such addresses as ambiguous, the library strips the leading zeros and interprets the remaining digits as decimal numbers. This behavior differs from other systems that may interpret leading zeros as indicating octal numbers, creating potential ambiguity in IP address interpretation. For example, an attacker could submit '010.8.8.8', which Python's ipaddress module would interpret as '10.8.8.8', while other systems might interpret it as '8.8.8.8' (the octal interpretation) (SICK Advisory).

Impact

The vulnerability could allow attackers to bypass IP-based access controls by submitting IP addresses with leading zeros that are interpreted differently by different systems. This could potentially lead to unauthorized access, server-side request forgery (SSRF), remote file inclusion (RFI), and local file inclusion attacks in applications that rely on Python's ipaddress module for IP address validation (SICK Advisory).

Mitigation and workarounds

The vulnerability was fixed in Python 3.9.5 and backported to Python 3.8.12. The fix makes the parsing behavior stricter, rejecting any IPv4 address strings containing octets with leading zeros. Organizations should upgrade to these or later versions. For systems that cannot be immediately upgraded, a workaround is to pre-process IP address strings to remove leading zeros before passing them to the ipaddress module (Python Security).

Community reactions

The security community initially debated the severity of this vulnerability, with some researchers arguing it was a critical issue while others considered it lower risk. The Python core team ultimately decided to backport the fix to Python 3.8.12 after the vulnerability received a CVSS score of 9.8 and multiple vendors expressed concerns about the potential for exploitation (GitHub PR).

Additional resources

SourceThis report was generated using AI

Related Python vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-67511CRITICAL9.6
  • PythonPython
  • cai-framework
NoNoDec 09, 2025
CVE-2025-66645HIGH7.5
  • PythonPython
  • nicegui
NoYesDec 09, 2025
GHSA-9rwj-6rc7-p77cHIGH7.3
  • PythonPython
  • langgraph-checkpoint-sqlite
NoYesDec 10, 2025
CVE-2025-67502MEDIUM5.4
  • PythonPython
  • taguette
NoYesDec 10, 2025
CVE-2025-67485MEDIUM5.3
  • PythonPython
  • mad-proxy
NoNoDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo