CVE-2025-61911: 
Python vulnerability analysis and mitigation

CVE-2025-61911 is a security vulnerability discovered in the python-ldap library affecting versions prior to 3.4.5. The vulnerability was disclosed on October 10, 2025, and involves a sanitization bypass in the ldap.filter.escapefilterchars method. The vulnerability specifically affects the library's input sanitization functionality when using escape_mode=1 configuration (GitHub Advisory).

The vulnerability exists in the ldap.filter.escapefilterchars method when using escapemode=1 configuration. The method fails to properly validate input types, allowing attackers to bypass character escaping by supplying crafted list or dict objects as the assertionvalue parameter instead of the expected string type. While escapemode=0 (default) and escapemode=2 raise exceptions for invalid input types, escape_mode=1 processes the input without proper escaping (GitHub Advisory).

If an application relies on the vulnerable method to escape untrusted user input, attackers could potentially launch LDAP injection attacks to disclose or manipulate LDAP data that should be inaccessible to them. The impact is particularly relevant in applications that process JSON data, which commonly includes list and dict objects that might be forwarded unchecked to the vulnerable sanitization method (GitHub Advisory).

The vulnerability has been patched in python-ldap version 3.4.5. The fix adds a type check at the start of the ldap.filter.escapefilterchars method to raise an exception when the supplied assertion_value parameter is not of type str. Users are advised to upgrade to version 3.4.5 or later to address this vulnerability (GitHub Release).