CVE-2021-42771: 
Python vulnerability analysis and mitigation

Babel.Locale in Babel before version 2.9.1 contains a directory traversal vulnerability that allows attackers to load arbitrary locale .dat files containing serialized Python objects, leading to potential code execution. The vulnerability was discovered in 2021 and is tracked as CVE-2021-42771. The issue affects Python applications using Babel versions prior to 2.9.1 (Tenable Research, NVD).

The vulnerability exists in the Babel.Locale functionality where a directory traversal flaw can be exploited to load arbitrary locale .dat files from outside the intended locale-data directory using path traversal sequences (../../). When a property of a Locale object is accessed, the specified locale .dat file is deserialized using Python's pickle.load() method, which can lead to arbitrary code execution if an attacker can cause a maliciously crafted .dat file to be loaded. The vulnerability has a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Tenable Research, NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary code within the context of the running process through deserialization of malicious locale files. This could potentially lead to complete system compromise depending on the privileges of the running process (Tenable Research).

The recommended mitigation is to update Babel to version 2.9.1 or later, which includes a fix for this vulnerability. The fix was implemented through a pull request that adds proper validation of locale identifiers before loading files (Github PR, Debian Advisory).