CVE-2025-15366

Name	CVE-2025-15366
Description	The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4455-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jython (PTS)	bullseye	2.7.2+repack1-3	vulnerable
	forky, sid, bookworm, trixie	2.7.3+repack1-1	vulnerable
pypy3 (PTS)	bullseye	7.3.5+dfsg-2+deb11u2	vulnerable
	bullseye (security)	7.3.5+dfsg-2+deb11u5	vulnerable
	bookworm	7.3.11+dfsg-2+deb12u3	vulnerable
	trixie	7.3.19+dfsg-2	vulnerable
	forky, sid	7.3.20+dfsg-4	vulnerable
python2.7 (PTS)	bullseye	2.7.18-8+deb11u1	vulnerable
python3.11 (PTS)	bookworm	3.11.2-6+deb12u6	vulnerable
	bookworm (security)	3.11.2-6+deb12u3	vulnerable
python3.13 (PTS)	trixie	3.13.5-2	vulnerable
	forky, sid	3.13.12-1	vulnerable
python3.14 (PTS)	forky, sid	3.14.3-1	vulnerable
python3.9 (PTS)	bullseye	3.9.2-1	vulnerable
	bullseye (security)	3.9.2-1+deb11u5	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
jython	source	bullseye	(unfixed)	end-of-life
jython	source	(unstable)	(unfixed)
pypy3	source	(unstable)	(unfixed)
python2.7	source	bullseye	(unfixed)	end-of-life
python2.7	source	(unstable)	(unfixed)
python3.11	source	(unstable)	(unfixed)
python3.13	source	(unstable)	(unfixed)
python3.14	source	(unstable)	(unfixed)
python3.9	source	bullseye	3.9.2-1+deb11u5		DLA-4455-1
python3.9	source	(unstable)	(unfixed)

Notes

[trixie] - pypy3 <no-dsa> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue)
[bullseye] - python2.7 <end-of-life> (EOL in bullseye LTS)
[trixie] - jython <no-dsa> (Minor issue)
[bookworm] - jython <no-dsa> (Minor issue)
[bullseye] - jython <end-of-life> (EOL in bullseye LTS)
https://github.com/python/cpython/issues/143921
https://github.com/python/cpython/pull/143922
https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/
https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 (main)
Potential regression: https://github.com/python/cpython/pull/143922#issuecomment-3774866549