{
  "threat_severity" : "Important",
  "public_date" : "2025-08-14T00:00:00Z",
  "bugzilla" : {
    "description" : "pypi-future: Python future unintended import",
    "id" : "2388642",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2388642"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-94",
  "details" : [ "A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code. NOTE: Multiple third parties have disputed this issue and stated that it is not a security flaw in python-future and is a documented feature of Python’s import system in the handling of sys.path.", "An unintended import flaw was found in the PyPI future package. When the module is loaded, it automatically imports test.py if present in the same directory or the sys.path. This behavior allows an attacker who can write files to the server to execute arbitrary code." ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Not affected",
    "package_name" : "openshift-serverless-1/kn-eventing-istio-controller-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh-dev-preview-beta/istio-ztunnel-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-cni-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-must-gather-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-pilot-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-proxyv2-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-rhel9-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "OpenShift Service Mesh 3",
    "fix_state" : "Not affected",
    "package_name" : "openshift-service-mesh/istio-sail-operator-bundle",
    "cpe" : "cpe:/a:redhat:service_mesh:3"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/aap-cloud-metrics-collector-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/ansible-dev-tools-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-25/ee-dellemc-openmanage-rhel8",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible-automation-platform-tech-preview/ansible-devspaces-rhel9",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "future",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Not affected",
    "package_name" : "future",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1",
    "fix_state" : "Not affected",
    "package_name" : "future",
    "cpe" : "cpe:/a:redhat:openstack:17.1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Not affected",
    "package_name" : "future",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-50817\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-50817\nhttps://github.com/PythonCharmers/python-future\nhttps://medium.com/@abcd_68700/cve-2025-50817-python-future-module-arbitrary-code-execution-via-unintended-import-of-test-py-f0818ea93cf4\nhttps://pypi.org/project/future/" ],
  "name" : "CVE-2025-50817",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}