Security News > 2021 > May > Python also impacted by critical IP address validation vulnerability

The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the "Netmask" library earlier this year.
The researchers who had discovered the critical flaw in netmask, also discovered the same flaw in this Python module and have procured a vulnerability identifier: CVE-2021-29921.
The regression bug crept into Python 3.x's ipaddress module as a result of a change made in 2019 by Python maintainers.
Of particular note is the fact, 127.0.0.1 is not a public IP address but a loopback address its ambiguous representation changes it to a public IP address leading to a different host altogether.
"Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate on many programs that rely on Python stdlib ipaddress," state the researchers.
Although ipaddress module was introduced in Python 3.3, this regression bug crept into the module starting with Python version 3.8.0 through 3.10, according to the researchers.
News URL
Related news
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- New Critical AMI BMC Vulnerability Enables Remote Server Takeover and Bricking (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) (source)
- Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-05-06 | CVE-2021-29921 | In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. | 9.8 |