PyPI: duckdb

CVE-2020-10531

Safety vulnerability ID: SFTY-20200312-33923

Safety legacy ID: pyup.io-77524

Affected versions of this package are vulnerable to a Heap Buffer Overflow. The cloned UnicodeString::doAppend() method inside DuckDB’s ICU extension fails to detect 32-bit signed-integer overflow when it computes newLength = oldLength + srcLength, inheriting the upstream ICU bug tracked as CVE-2020-10531. # References https://github.com/duckdb/duckdb/commit/71e0a85847cf2075b8f9b64bb77431366ab54b45

PythonPyPINVDNVD
Created at: Nov 5, 2025Updated at: Nov 5, 2025

Overview

Affected versions of this package are vulnerable to a Heap Buffer Overflow. The cloned UnicodeString::doAppend() method inside DuckDB’s ICU extension fails to detect 32-bit signed-integer overflow when it computes newLength = oldLength + srcLength, inheriting the upstream ICU bug tracked as CVE-2020-10531. # References https://github.com/duckdb/duckdb/commit/71e0a85847cf2075b8f9b64bb77431366ab54b45

Advisory

Affected versions of this package are vulnerable to a Heap Buffer Overflow. The cloned UnicodeString::doAppend() method inside DuckDB’s ICU extension fails to detect 32-bit signed-integer overflow when it computes newLength = oldLength + srcLength, inheriting the upstream ICU bug tracked as CVE-2020-10531. # References https://github.com/duckdb/duckdb/commit/71e0a85847cf2075b8f9b64bb77431366ab54b45

Affected Package

Affecting duckdb package, versions
<1.3.0

Also affects

---

How to Fix

Upgrade
duckdb
to
1.3.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more