CVE-2025-4516: 
Python Interpreter vulnerability analysis and mitigation

A medium severity security vulnerability (CVE-2025-4516) was discovered in CPython affecting the bytes.decode() function when using the "unicodeescape" encoding with error handlers. The vulnerability was disclosed on May 15, 2025, and affects multiple versions of Python. The issue specifically occurs when using `bytes.decode("unicodeescape", error="ignore|replace")` (Python Security).

The vulnerability is a use-after-free issue that occurs when the error handler is used with unicode_escape decoding. When the error handler is invoked, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. This causes a pointer to the decoded data to become invalid after destroying the temporary bytes object (CPython Commit). The vulnerability has been assigned a CVSS v4.0 base score of 5.9 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (NVD).

When exploited, this vulnerability would likely result in a program crash due to the use-after-free condition. The impact is limited to applications that specifically use the unicode_escape encoding with error handlers (ignore or replace). Applications not using these specific encoding options are not affected (Wiz).

A workaround is available for affected systems: users can stop using the error= handler and instead wrap the bytes.decode() call in a try-except block to catch the DecodeError. A permanent fix has been implemented in the CPython codebase through pull request #129648 (Python Security).