GHSA-xqrq-4mgf-ff32 (CVE-2025-50817) is invalid

[keysmashes]

This CVE refers to the following line of code as having a vulnerability: https://github.com/PythonCharmers/python-future/blob/2d56f83adab5a0957cfc5abbe62db1e2d1912b61/src/future/standard_library/__init__.py#L491

That line of code is import test; in the reporters' words:

When loading the future module, test.py is automatically imported and executed

...but that's what an import statement is meant to do. This one imports the stdlib test module: https://docs.python.org/3/library/test.html, unless you have a test.py somewhere in your sys.path (e.g. in the working directory). There's nothing unique about this particular import that could be described as a vulnerability – every python import statement uses the same machinery and could import the wrong file (e.g. os.py, platform.py) if you have one lying around.

Obviously, if your notional attacker is able to write python files to arbitrary parts of the filesystem, then you have a problem. That is not caused by python-future!

See PythonCharmers/python-future#650 (comment) for further details.

[JonathanLEvans]

👋 @keysmashes,

Thank you for bringing this to our attention. GitHub is not the assigning CNA for CVE-2025-50817. To dispute the CVE, you need to contact MITRE (the assigning CNA) through their web from.

Let me know if there anything else I can help with.

[mwpeterson]

Please update this vulnerability to reflect that MITRE has now marked it as disputed.
https://www.cve.org/CVERecord?id=CVE-2025-50817