Vulnerability Database

319,703

Total vulnerabilities in the database

CVE-2021-42771

Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.

Published: Oct 20, 2021
Updated: Nov 16, 2025
CVE: CVE-2021-42771
GHSA: GHSA-h4m5-qpfp-3mpv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.2
AV:L/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
pocoo / babel	-	2.9.1
debian / debian_linux	10.0	10.0.x
babel	-	2.9.1

https://github.com/python-babel/babel/pull/782
https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html
https://lists.debian.org/debian-lts/2021/10/msg00040.html
https://www.debian.org/security/2021/dsa-5018
https://www.tenable.com/security/research/tra-2021-14

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo