CVE-2025-12781
MEDIUMCVSS v3
5.3
MEDIUM
EPSS Score
0.0%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 1/21/2026
- Last Modified
- 2/2/2026
Frequently Asked Questions
What is CVE-2025-12781?
When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior
Is CVE-2025-12781 actively exploited?
Active exploitation of CVE-2025-12781 has not been confirmed. The EPSS score is 0.0%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-12781?
CVE-2025-12781 has a CVSS v3 base score of 5.3 (MEDIUM severity), with vector string 3.1.
Is CVE-2025-12781 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.