CVE-2025-50817
Publication date 14 August 2025
Last updated 20 October 2025
Ubuntu priority
Description
A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code. NOTE: Multiple third parties have disputed this issue and stated that it is not a security flaw in python-future and is a documented feature of Python’s import system in the handling of sys.path.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| python-future | 25.10 questing | Not in release |
| 25.04 plucky | Not in release | |
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Notes
mdeslaur
versions earlier than 1.0.0 are also affected, the "flaw" was introduced in the following commit: https://github.com/PythonCharmers/python-future/commit/b9c7593e4e1478240522a71a6c85ecd24cc3d20a This is unlikely to be an actual vulnerability as "test" is part of the python stdlib. This CVE is likely to be rejected, see https://github.com/PythonCharmers/python-future/issues/650#issuecomment-3252409616 Marking as not-affected.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |