os.path.normpath() truncates on null bytes

2023-08-2400:00:00

Google

osv.dev

os.path.normpath

null bytes

allowlisting

python

security

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.0%

JSON

Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.

If allowlisting is applied before a call to os.path.normpath() is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation.

CPENameOperatorVersion
cpythoneq3.12.0a3
cpythoneq3.11.0a6
cpythoneq3.11.0
cpythoneq3.11.0b1
cpythoneq3.12.0b3
cpythoneq3.11.0a5
cpythoneq3.11.0rc1
cpythoneq3.11.2
cpythoneq3.11.0b4
cpythoneq3.11.0b2

Name	Operator	Version
cpython	eq	3.12.0a3
cpython	eq	3.11.0a6
cpython	eq	3.11.0
cpython	eq	3.11.0b1
cpython	eq	3.12.0b3
cpython	eq	3.11.0a5
cpython	eq	3.11.0rc1
cpython	eq	3.11.2
cpython	eq	3.11.0b4
cpython	eq	3.11.0b2