CVE-2025-22153: 
Python vulnerability analysis and mitigation

RestrictedPython, a tool designed to define a subset of the Python language for providing program input in a trusted environment, was found to contain a critical security vulnerability (CVE-2025-22153) discovered on January 23, 2025. The vulnerability affects versions starting from 6.0 and prior to version 8.0, specifically when using try/except* functionality in Python versions 3.11 through 3.13.2 (GitHub Advisory).

The vulnerability stems from a type confusion bug in the CPython interpreter when using try/except* clauses, which could lead to a sandbox escape. The issue has been assigned a CVSS v3.1 base score of 7.9 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L, indicating network attack vector, high attack complexity, high privileges required, no user interaction needed, changed scope, and high impact on confidentiality and integrity with low impact on availability (NVD).

The vulnerability allows attackers to bypass RestrictedPython's security restrictions, potentially leading to unauthorized code execution and sandbox escape. This could compromise the integrity of the trusted environment that RestrictedPython is designed to maintain (GitHub Advisory).

The vulnerability has been patched in RestrictedPython version 8.0 by completely removing support for try/except* clauses. Additionally, ExceptionGroup has been removed from safe_builtins as it is only useful with try/except*. No alternative workarounds are available, making upgrading to version 8.0 the only solution (GitHub Commit).