CVE-2025-69660

Python

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-69660 describes a NULL pointer dereference vulnerability found within the `TagSection.keys()` function of `python-apt` on APT-based Linux systems. This flaw enables a local attacker to trigger a denial of service by providing a specially crafted `deb822` file that contains a malformed non-UTF-8 key. The vulnerability can lead to a process crash. The vulnerability was published by the NVD on December 5, 2025, and has been acknowledged by Canonical Ltd., the assigning CNA. Fixes have been added for various Debian and Ubuntu versions, though some Debian versions still lack a fix as of December 2025.

Description
-

Social media

Hype score
Not currently trending

  1. I found an SSRF vulnerability bypass via DNS rebinding in simstudioai/sim a project with 25k+ stars on GitHub (CVE-2025-69660). Full write-up: https://t.co/eU3wf4d4Rd #security #websecurity #appsec #cve #bugbounty

    @aydinnyunuss

    14 Mar 2026

    3764 Impressions

    18 Retweets

    95 Likes

    68 Bookmarks

    1 Reply

    0 Quotes

Related CVEs

  1. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.CVE-2025-64459
  2. An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. NFKC normalization in Python is slow on Windows. As a consequence, `django.http.HttpResponseRedirect`, `django.http.HttpResponsePermanentRedirect`, and the shortcut `django.shortcuts.redirect` were subject to a potential denial-of-service attack via certain inputs with a very large number of Unicode characters. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue.CVE-2025-64458
  3. Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking `Content-Type: multipart/form-data` in a proxy.CVE-2025-47287
  4. h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.CVE-2025-43859
  5. PyTorch is a Python package that provides tensor computation with strong GPU acceleration and deep neural networks built on a tape-based autograd system. In version 2.5.1 and prior, a Remote Command Execution (RCE) vulnerability exists in PyTorch when loading a model using torch.load with weights_only=True. This issue has been patched in version 2.6.0.CVE-2025-32434

References

Sources include official advisories and independent security research.