Skip to content

Routine base64.b64decode: Security hole #141040

New issue
New issue
Closed as duplicate of#125346
Closed as duplicate of#125346
Routine base64.b64decode: Security hole#141040
Labels
type-bugAn unexpected behavior, bug, or error
@Hans-Peter-Cad

Description

@Hans-Peter-Cad
Hans-Peter-Cad
opened on Nov 5, 2025

Bug report

Bug description:

Module 'base64', routine 'b64decode':

When using parameter 'altchars', the original chars '+', '/' - mentioned in the documentation as belonging to the "normal base64 alphabet" - are still recognized as legal, even if 'validate = True'.

This behaviour is a security hole, because it can be used for information leaking.

Background: I found this behaviour inside (encrypted) base64 files, more or less per accident. Imagine: By exchanging alternative chars back to normal chars in such a file, you could smuggle some additional info into that file, without alarming anyone.

The tested version was CPython 3.13.7.

CPython versions tested on:

3.13

Operating systems tested on:

Windows

Metadata

Metadata

Assignees

No one assigned

    Labels

    type-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions