CVE-2025-50817

Name	CVE-2025-50817
Description	A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
python-future (PTS)	bullseye	0.18.2-5	vulnerable
	bookworm	0.18.2-6	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
python-future	source	(unstable)	(unfixed)

Notes

[bookworm] - python-future <no-dsa> (Minor issue)
https://medium.com/@abcd_68700/cve-2025-50817-python-future-module-arbitrary-code-execution-via-unintended-import-of-test-py-f0818ea93cf4
https://github.com/PythonCharmers/python-future/issues/268
Project is EOL/unmaintained; no upstream fix is likely.
CVE may be rejected. https://github.com/PythonCharmers/python-future/issues/650#issuecomment-3252409616