try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter
        
  High severity
        
          GitHub Reviewed
      
        Published
          Jan 23, 2025 
          in
          
            zopefoundation/RestrictedPython
          
          •
          Updated Jan 23, 2025 
      
  
Description
        Published to the GitHub Advisory Database
      Jan 23, 2025 
    
  
        Reviewed
      Jan 23, 2025 
    
  
        Published by the National Vulnerability Database
      Jan 23, 2025 
    
  
        Last updated
      Jan 23, 2025 
    
  
Impact
Via a type confusion bug in the CPython interpreter when using
try/except*RestrictedPython could be bypassed.We believe this should be fixed upstream in Python itself until that we remove support for
try/except*from RestrictedPython.(It has been fixed for some Python versions.)
Patches
Patched in version 8.0 by removing support for
try/except*clausesWorkarounds
There is no workaround.
References
none
References