CVE-2025-50817

[MallocArray]

Trivy scanner is now detecting future as having a High severity CVE
https://avd.aquasec.com/nvd/2025/cve-2025-50817/

Will this be addressed in an update to this module?

[M1ndas]

Relates to: #268

[kishorchouhan]

@edschofield We got below dependabot for future package. When can we expect this to be solved. TIA

[fried]

This CVE is beyond ridiculous. High severity is laughable. It boils down to "If you have access to my code you can execute arbitrary code".

test is in the standard lib, the standard lib has many modules and any of them could be "exploited" in this exact way. The only ones safe are builtins modules like "sys".

If this is an expliot, then every piece of python code ever written that imports from the stdlib in any capacity is also exploited. Basic python import semantics is not a CVE. The exploit wouldn't even be in this project it would be in cpython itself. The only problem that project is active and everyone would realize how insane the CVE was and it would get redacted

[fried]

Even an LLM can easily shred this CVE - https://gist.github.com/fried/d2108a4932f3a22712dfc04598b5b8ce
Its a common issue, not a CVE - https://python-notes.curiousefficiency.org/en/latest/python_concepts/import_traps.html#the-name-shadowing-trap

https://docs.python.org/3/reference/import.html
https://docs.python.org/3/reference/import.html#searching
https://docs.python.org/3/library/sys_path_init.html
https://docs.python.org/3/library/test.html

[iamleot]

Thanks @fried for sharing context.

I have requested this CVE to be rejected via MITRE CVE Request web form (CVE Request 1919432 for Update Published CVE) and linked both the standard Python documentation and this discussion.

[M1ndas]

Any updates to the CVE update request, @iamleot ?

[iamleot]

@MindaugasBernatavicius no, I have not received any updates.

[iamleot]

Hello, JFTR CVE-2025-50817 was marked as Disputed.