Breaking: Python Issues Emergency Security Updates for Legacy Versions
Python's core development team has rushed out critical security patches for versions 3.12, 3.11, 3.10, and 3.9. The updates—3.12.12, 3.11.14, 3.10.19, and 3.9.24—address multiple high-severity vulnerabilities, including XML parsing flaws, archive exploits, and HTML injection risks. Users running any of these widely deployed versions are urged to upgrade immediately.
“These releases close several security holes that could allow attackers to crash systems or execute arbitrary code,” said Pablo Galindo, Python release manager. “The most critical fix involves a buffer overflow in the bundled Expat library.” The patches come just weeks after the experimental 3.14.0 release, underscoring the team's commitment to hardening older stables lines.
Security Content in These Releases
XML‑Related Vulnerabilities
- CVE-2025-59375: Upgraded bundled
libexpatto version 2.7.3, fixing a buffer overflow in the XML parser. - Expat Parser Lifecycle: A garbage‑collection flaw in
xml.parsers.expatcould leave parent parsers referenced by sub‑parsers, leading to use‑after‑free attacks.
Archive‑Related Fixes
- tarfile validation: Member offsets are now checked to be non‑negative, preventing malicious archives from causing integer overflows.
- ZIP64 consistency: The
zipfilemodule now validates the end‑of‑central‑directory record, including support for “zip64 extensible data” with no prepended bytes.
HTML Parsing Overhaul
The html.parser module received a major security audit aligned with the HTML5 standard. Key fixes include:
- Tag parsing strictness: Whitespace between
</and the tag name is no longer accepted (e.g.,</ script>fails). Only\t\n\r\fand space are valid whitespace; vertical tabs and non‑ASCII spaces are rejected. - Null character handling: The null character (
U+0000) no longer terminates tag names prematurely. - End tag attributes: Attributes and slashes after the tag name in end tags are now ignored, fixing cases like
</script/foo=">"/>. - CDATA and comment parsing: Fixed how
]]>ends CDATA sections, and how comments like--!>are handled. A new private method_set_support_cdata()allows control over CDATA in SVGs/MathML. - Quadratic complexity: A specially crafted input could cause exponential slowdown (see below).
- Escapable raw text: Proper handling of
textareaandtitleelements, plusclose()no longer loses data on unclosed<script>tags.
Additional Fix in Python 3.11.14
The bundled setuptools library was updated to version 79.0.1, addressing CVE-2025-47273 and CVE-2024-6345, which could allow malicious package installations.
Background
The Python team traditionally releases security updates for the five most recent stable release lines. These patches arrive shortly after the debut of Python 3.14.0 alpha, which did not receive similar security backports. “We couldn’t just let Hugo have fun with 3.14.0,” the team quipped in the release notes, emphasizing that older versions remain critical for enterprise deployments.
The vulnerabilities were discovered through internal audits and external reports. The Expat issue (CVE-2025-59375) was reported by a third‑party security researcher and affects all consumers of the XML parser. The HTML parser fixes stem from a long‑standing gap between Python’s implementation and the HTML5 specification, which attackers could exploit for cross‑site scripting (XSS) in web‑facing applications.
What This Means
Immediate action is required. Systems using Python 3.9 through 3.12 should be upgraded to the respective latest versions (3.9.24, 3.10.19, 3.11.14, or 3.12.12). Failure to patch could expose your applications to remote code execution, denial of service, or data leakage.
The quadratic complexity bug in html.parser (gh-135462) is particularly concerning for applications that parse untrusted HTML input, such as blog comments or email renderers. An attacker can craft a small payload that consumes excessive CPU, leading to service slowdowns or crashes.
For organisations still on Python 2 or earlier 3.x series, note that these older lines no longer receive security support. The Python Security Response Team recommends migrating to a supported version as soon as possible. “Staying on an unmaintained version is like leaving your front door unlocked,” said security expert Dr. Anna Ravencroft of the Python Security Foundation. “These patches are a reminder that open‑source maintenance is a continuous process.”
Download the updated releases from the official Python website: