CVE-2025-61912: 
Python vulnerability analysis and mitigation

CVE-2025-61912 is a vulnerability discovered in python-ldap versions 3.4.4 and earlier, disclosed on October 10, 2025. The vulnerability affects the ldap.dn.escapednchars() function, which incorrectly handles null character escaping in LDAP Distinguished Names (DNs). This security issue was reported by aradona91 and has been assigned a Low severity rating (Python LDAP Release, GitHub Advisory).

The vulnerability exists in the ldap.dn.escapednchars() function where it incorrectly escapes \x00 by emitting a backslash followed by a literal NUL byte instead of using the RFC-4514 compliant hex form \00. The buggy implementation uses s.replace('\000', '\000'), which produces Python strings containing embedded NUL characters that cause python-ldap APIs to raise ValueError exceptions before any network I/O occurs (GitHub Advisory).

When applications use this function to build LDAP DN strings from untrusted input, a single NUL character in attacker-controlled input can reliably break client workflows, resulting in crashes, unhandled exceptions, stuck retries, or poison queue records. This effectively creates a client-side denial of service condition. The vulnerability affects applications that use ldap.dn.escapednchars() for handling user creation/rename tools, sync/ETL jobs, portals allowing self-service attributes, device onboarding, and batch imports (GitHub Advisory).

The issue has been fixed in python-ldap version 3.4.5 by correcting the NUL escaping to use the RFC-4514 compliant hex form \00. The fix involves changing the escaping implementation to: s.replace('\x00', '\00'). Users should upgrade to version 3.4.5 or later to receive the security fix (Python LDAP Release).