Python Base64 Decoder Excess Data Handling Vulnerability

A vulnerability exists in the Python Base64 decoder that can lead to incorrect data processing. When using the `base64.b64decode()` function or similar methods, the decoder stops after the first padded quad, ignoring any additional data. This behavior, which occurs in non-strict mode, contradicts RFC 4648 guidelines and can cause issues when the decoded data is processed by other implementations. The vulnerability affects Python versions 3.13.0 to 3.13.12, 3.14.0 to 3.14.3, and 3.15.0a1 to 3.15.0a7.

Impact

This vulnerability can lead to data being improperly decoded, with excess Base64 data after the first padded quad being ignored. This can cause discrepancies when the data is processed by other applications or libraries that handle Base64 decoding correctly.

Reproduction

To reproduce this vulnerability, use the `base64` command-line utility on Linux to decode a Base64 string that includes padding. The string should be one that, when decoded, would normally produce a result longer than the data represented by the first padded quad. Alternatively, use Python's `base64.b64decode()` function in a script or interactive session, and observe how the function ignores data after the first padding, leading to incomplete decoding.

Remediation

Users can upgrade to Python versions 3.13.13, 3.14.4, or 3.15.0a8, where this issue has been fixed.