CVE-2025-12781

MEDIUM

CVSS v3

5.3

MEDIUM

EPSS Score

0.0%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior

Technical Details

CVSS v3 Vector
3.1
Published
1/21/2026
Last Modified
2/2/2026

Frequently Asked Questions

What is CVE-2025-12781?

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior

Is CVE-2025-12781 actively exploited?

Active exploitation of CVE-2025-12781 has not been confirmed. The EPSS score is 0.0%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-12781?

CVE-2025-12781 has a CVSS v3 base score of 5.3 (MEDIUM severity), with vector string 3.1.

Is CVE-2025-12781 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.