DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22041: Redaction via Destruction: Crashing Python Logs with CVE-2026-22041

#security #cve #cybersecurity

Redaction via Destruction: Crashing Python Logs with CVE-2026-22041

Vulnerability ID: CVE-2026-22041
CVSS Score: 7.5
Published: 2026-01-07

A logic error in loggingredactor treats all log arguments as strings, causing fatal TypeErrors in Python's logging module when numeric format specifiers are used.

TL;DR

The loggingredactor library (versions < 0.0.6) attempts to sanitize logs by forcefully converting all inputs to strings. This breaks standard Python logging behavior when using type-specific placeholders like %d or %f, leading to application crashes or silent logging failures.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-704 (Incorrect Type Conversion)
  • Attack Vector: Local / Network (Triggerable via log inputs)
  • CVSS: 7.5 (High)
  • Impact: Denial of Service (Application Crash)
  • Language: Python
  • Fix Status: Patched in v0.0.6

Affected Systems

  • Python applications using loggingredactor < 0.0.6
  • Django/Flask apps with custom logging filters using this library
  • loggingredactor: < 0.0.6 (Fixed in: 0.0.6)

Code Analysis

Commit: 75ae0a0

Fix implicit string conversion causing TypeError in logging

@@ -25,7 +25,7 @@
-            else:
-                content_copy = isinstance(content_copy, str) and content_copy or str(content_copy)
-                for pattern in self._mask_patterns:
-                    content_copy = re.sub(pattern, self._mask, content_copy)
+            elif isinstance(content_copy, str):
+                for pattern in self._mask_patterns:
+                    content_copy = re.sub(pattern, self._mask, content_copy)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Issue: Original issue report demonstrating the TypeError with integer arguments

Mitigation Strategies

  • Upgrade to loggingredactor v0.0.6 or higher immediately.
  • Audit codebase for logging calls using type-specific formatters (e.g., %d, %f) combined with this filter.
  • Implement global exception handling that specifically catches logging errors to prevent thread death.

Remediation Steps:

  1. Run pip install --upgrade loggingredactor
  2. Verify the installed version is >= 0.0.6
  3. Restart application services to load the patched library

References

Read the full report for CVE-2026-22041 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)