{"id":"PSF-2023-9","summary":"os.path.normpath() truncates on null bytes","details":"Passing a path with null bytes to the `os.path.normpath()` function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path. Python versions before 3.11.0 didn’t truncate the path on null bytes.\n\nIf allowlisting is applied before a call to `os.path.normpath()` is used later in the program, the allowlisting can be circumvented if the path containing null bytes is constructed to pass the allowlist but then change to the targeted resource after truncation.","aliases":["BIT-libpython-2023-41105","BIT-python-2023-41105","BIT-python-min-2023-41105","CVE-2023-41105"],"modified":"2025-09-19T01:45:53.483611Z","published":"2023-08-24T00:00:00Z","references":[{"type":"ADVISORY","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/"},{"type":"WEB","url":"https://github.com/python/cpython/issues/106242"},{"type":"WEB","url":"https://github.com/python/cpython/pull/106816"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"7c12e4835ebe52287acd200a2e76b533413b15d0"},{"fixed":"09322724319d4c23195300b222a1c0ea720af56b"},{"fixed":"ede98958810b76694cf756d305b564cd6adc1a48"},{"fixed":"ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b"}]}],"versions":["v3.11.0","v3.11.0a1","v3.11.0a2","v3.11.0a3","v3.11.0a4","v3.11.0a5","v3.11.0a6","v3.11.0a7","v3.11.0b1","v3.11.0b2","v3.11.0b3","v3.11.0b4","v3.11.0b5","v3.11.0rc1","v3.11.0rc2","v3.11.1","v3.11.2","v3.11.3","v3.11.4","v3.12.0a1","v3.12.0a2","v3.12.0a3","v3.12.0a4","v3.12.0a5","v3.12.0a6","v3.12.0a7","v3.12.0b1","v3.12.0b2","v3.12.0b3","v3.12.0b4","v3.12.0rc1"],"database_specific":{"source":"https://github.com/psf/advisory-database/blob/main/advisories/python/PSF-2023-9.json","vanir_signatures":[{"signature_type":"Function","deprecated":false,"target":{"file":"Python/fileutils.c","function":"_Py_normpath"},"source":"https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b","digest":{"function_hash":"123869515671459921177400607799595033940","length":2129},"id":"PSF-2023-9-076090bb","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Include/internal/pycore_fileutils.h"},"source":"https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b","digest":{"threshold":0.9,"line_hashes":["94589339907483270990756216343485520979","239109364274517535556801654897340762288","25259274544635127037191737442793627850","41994846448406476700968065517759066304"]},"id":"PSF-2023-9-1ffc221e","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Python/fileutils.c"},"source":"https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b","digest":{"threshold":0.9,"line_hashes":["515148417458665457263374257619273447","19371280750229506485107378446168952474","63046692906348131046675442347003957626","215753089571476627995870181355635484982","304450275394942061861108559626134933924","8994475785571641351648437497467682971","16995322741479286873233816074794672088","284756091124989970253967435267330108934","311231984123438375197142000931147675769","79186272173981669835304626424176279522","46738853502514971466229884153816193017","214665895075825148011242466416260095251","206247705876744498795309970312716893550","192794633737789964149579070490101002084","253887757769686010130602909114392587154","30531456649813298176674000064815646378","257435601088827868772632734188655791174","232426917140610754871480411384048317868","123408376135115101231458896114255239547","244261517653655836966656979418506454210","82139791554894907472576626429009198875","305916699876573468835897660132915006530","69986712519756540737872952414501548491","114310545570999918044504109639108240161","146165712154041847941819600485087497720","294447358412442358039172598311523341683"]},"id":"PSF-2023-9-36e7260f","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"Python/fileutils.c","function":"_Py_normpath"},"source":"https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b","digest":{"function_hash":"123869515671459921177400607799595033940","length":2129},"id":"PSF-2023-9-4c6e336c","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"Python/fileutils.c","function":"_Py_normpath"},"source":"https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48","digest":{"function_hash":"123869515671459921177400607799595033940","length":2129},"id":"PSF-2023-9-721fe33b","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Python/fileutils.c"},"source":"https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48","digest":{"threshold":0.9,"line_hashes":["515148417458665457263374257619273447","19371280750229506485107378446168952474","63046692906348131046675442347003957626","215753089571476627995870181355635484982","304450275394942061861108559626134933924","8994475785571641351648437497467682971","16995322741479286873233816074794672088","284756091124989970253967435267330108934","311231984123438375197142000931147675769","79186272173981669835304626424176279522","46738853502514971466229884153816193017","214665895075825148011242466416260095251","206247705876744498795309970312716893550","192794633737789964149579070490101002084","253887757769686010130602909114392587154","30531456649813298176674000064815646378","257435601088827868772632734188655791174","232426917140610754871480411384048317868","123408376135115101231458896114255239547","244261517653655836966656979418506454210","82139791554894907472576626429009198875","305916699876573468835897660132915006530","69986712519756540737872952414501548491","114310545570999918044504109639108240161","146165712154041847941819600485087497720","294447358412442358039172598311523341683"]},"id":"PSF-2023-9-7a3a5678","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Modules/posixmodule.c"},"source":"https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b","digest":{"threshold":0.9,"line_hashes":["98606404312462299377254141299941899187","38855887028671729556643722732300986147","46259203773174362429382359868322128138","47872892090071878361921810286731350536"]},"id":"PSF-2023-9-8eb0884a","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Include/internal/pycore_fileutils.h"},"source":"https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b","digest":{"threshold":0.9,"line_hashes":["94589339907483270990756216343485520979","292599872198470183948840414699213225775","219743046610614162110260262734717863543","17152971081213676352576152769838112481"]},"id":"PSF-2023-9-9943d75f","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Python/fileutils.c"},"source":"https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b","digest":{"threshold":0.9,"line_hashes":["515148417458665457263374257619273447","19371280750229506485107378446168952474","63046692906348131046675442347003957626","215753089571476627995870181355635484982","304450275394942061861108559626134933924","8994475785571641351648437497467682971","16995322741479286873233816074794672088","284756091124989970253967435267330108934","311231984123438375197142000931147675769","79186272173981669835304626424176279522","46738853502514971466229884153816193017","214665895075825148011242466416260095251","206247705876744498795309970312716893550","192794633737789964149579070490101002084","253887757769686010130602909114392587154","30531456649813298176674000064815646378","257435601088827868772632734188655791174","232426917140610754871480411384048317868","123408376135115101231458896114255239547","244261517653655836966656979418506454210","82139791554894907472576626429009198875","305916699876573468835897660132915006530","69986712519756540737872952414501548491","114310545570999918044504109639108240161","146165712154041847941819600485087497720","294447358412442358039172598311523341683"]},"id":"PSF-2023-9-a7fb5367","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"Modules/posixmodule.c","function":"os__path_normpath_impl"},"source":"https://github.com/python/cpython/commit/ccf81e1088c25a9f4464e478dc3b5c03ed7ee63b","digest":{"function_hash":"29533358781224774915024736303119647952","length":379},"id":"PSF-2023-9-c6c907c0","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Include/internal/pycore_fileutils.h"},"source":"https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48","digest":{"threshold":0.9,"line_hashes":["94589339907483270990756216343485520979","292599872198470183948840414699213225775","219743046610614162110260262734717863543","17152971081213676352576152769838112481"]},"id":"PSF-2023-9-c74a7516","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"Modules/posixmodule.c","function":"os__path_normpath_impl"},"source":"https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48","digest":{"function_hash":"29533358781224774915024736303119647952","length":379},"id":"PSF-2023-9-c93bc77f","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Modules/posixmodule.c"},"source":"https://github.com/python/cpython/commit/ede98958810b76694cf756d305b564cd6adc1a48","digest":{"threshold":0.9,"line_hashes":["98606404312462299377254141299941899187","38855887028671729556643722732300986147","46259203773174362429382359868322128138","47872892090071878361921810286731350536"]},"id":"PSF-2023-9-e4d7cc37","signature_version":"v1"},{"signature_type":"Function","deprecated":false,"target":{"file":"Modules/posixmodule.c","function":"os__path_normpath_impl"},"source":"https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b","digest":{"function_hash":"29533358781224774915024736303119647952","length":379},"id":"PSF-2023-9-e989f9e3","signature_version":"v1"},{"signature_type":"Line","deprecated":false,"target":{"file":"Modules/posixmodule.c"},"source":"https://github.com/python/cpython/commit/09322724319d4c23195300b222a1c0ea720af56b","digest":{"threshold":0.9,"line_hashes":["98606404312462299377254141299941899187","38855887028671729556643722732300986147","46259203773174362429382359868322128138","47872892090071878361921810286731350536"]},"id":"PSF-2023-9-e9dfdb0d","signature_version":"v1"}]}}],"schema_version":"1.7.3","credits":[{"name":"Noriko Totsuka of JPCERT/CC","type":"FINDER"},{"name":"Masashi Yamane of LAC Co., Ltd","type":"FINDER"},{"name":"Delta Regeer","type":"REPORTER"},{"name":"Finn Womack","type":"REMEDIATION_DEVELOPER"},{"name":"Steve Dower","type":"REMEDIATION_REVIEWER"},{"name":"Seth Michael Larson","type":"COORDINATOR"}]}