CVE-2021-29921

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

Published: May 6, 2021
Updated: Nov 4, 2025
CVE: CVE-2021-29921
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
python / python	3.9.0	3.9.5
python / python	3.8.0	3.8.12
oracle / zfs_storage_appliance_kit	8.8	8.8.x
oracle / graalvm	20.3.2	20.3.2.x
oracle / graalvm	21.1.0	21.1.0.x
oracle / communications_cloud_native_core_automated_test_suite	1.8.0	1.8.0.x
oracle / communications_cloud_native_core_network_slice_selection_function	1.8.0	1.8.0.x
oracle / communications_cloud_native_core_binding_support_function	1.11.0	1.11.0.x

https://bugs.python.org/issue36384
https://docs.python.org/3/library/ipaddress.html
https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
https://github.com/python/cpython/pull/12577
https://github.com/python/cpython/pull/25099
https://github.com/sickcodes
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20210622-0003/
https://sick.codes/sick-2021-014
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerability Database

313,825

CVE-2021-29921

Deep Security Visibility Without the Complexity