Python Security Releases: Critical Patches for Versions 3.9 Through 3.12
Introduction
Python has released security updates for its venerable versions 3.9.24, 3.10.19, 3.11.14, and 3.12.12. While the community eagerly anticipates Python 3.14.0 (which Hugo has been showcasing), these older branches receive critical patches addressing vulnerabilities in XML handling, archive processing, and HTML parsing. This article details the key fixes and improvements in these maintenance releases.
Overview of the Security Releases
The new releases focus on hardening core libraries against potential exploits. Among the most notable changes are updates to the bundled libexpat XML parser, improvements to tarfile and zipfile validation, and a comprehensive overhaul of the HTML parser to comply with HTML5 standards. Below, we break down each area of improvement.
XML-Related Fixes
Two significant XML vulnerabilities have been addressed:
- CVE-2025-59375 – The bundled
libexpatlibrary has been updated to version 2.7.3 (see gh-139312). This fixes a denial-of-service and potential remote code execution flaw. - Expat Parser Garbage Collection – A bug in
xml.parsers.expatensured that parent Expat parsers are only garbage-collected after all subparsers created byExternalEntityParserCreate()are no longer referenced (see gh-139400).
Archive-Related Fixes
The tarfile and zipfile modules have received validation improvements:
- tarfile – Now validates that member offsets are non-negative, preventing buffer underflow issues (see gh-130577).
- zipfile – Consistency of the zip64 end-of-central-directory record is now checked. Additionally, support for records with “zip64 extensible data” has been added when no bytes are prepended to the ZIP file (see gh-139700).
HTML Parsing Fixes
The html.parser module underwent a major set of changes to align with the HTML5 specification. These fixes enhance security and correctness:
- Start and end tag parsing – Whitespace is no longer allowed between
</and the tag name. For example,</ script>does not end the script section. Vertical tab (\v) and non-ASCII whitespaces are no longer recognized; only\t\n\r\fand space are considered whitespace. The null character (U+0000) no longer terminates a tag name. Attributes and slashes after the tag name in end tags are now ignored. Multiple slashes and whitespace between the last attribute and closing>are ignored in both start and end tags. Multiple=between attribute name and value are no longer collapsed (e.g.,<a foo==bar>yields attribute “foo” with value “=bar”). - CDATA section parsing – Now follows the HTML5 standard:
]]>and]]>with a space no longer end a CDATA section. A private method_set_support_cdata()has been added to control whether<![CDATA[is treated as a CDATA section (in foreign content like SVG or MathML) or as a bogus comment (in the HTML namespace). - Comment parsing – Corrected to HTML5:
--!>now ends a comment;-->with a space no longer does. Empty comments like<!-->and<--->are now supported abnormally. - Quadratic complexity issue – Fixed a denial-of-service vulnerability where specially crafted input caused quadratic processing time (see gh-135462).
- End-of-file handling – Now conforms to HTML5: comments and declarations are automatically closed, and tags are ignored.
- Escapable raw text mode – Fixed support for
textareaandtitleelements (see gh-118350). - Unclosed <script> tag – The
close()method no longer loses data when a script tag is not closed (see gh-86155).
Version‑Specific Updates
Python 3.12.12
This release includes all the general security fixes described above. Users of Python 3.12 are strongly encouraged to upgrade. Download it from the official release page.
Python 3.11.14
In addition to the common security patches, Python 3.11.14 updates the bundled copy of setuptools to version 79.0.1 to address two vulnerabilities: CVE-2025-47273 and CVE-2024-6345. These fixes protect against potential remote code execution and privilege escalation. See the downloads page for details.
Python 3.10.19 and 3.9.24
These older versions receive the same core security fixes for XML, archive, and HTML parsing as the 3.11 and 3.12 releases. Maintaining them ensures that users on extended support cycles remain protected.
Conclusion
These security releases demonstrate the Python core team’s commitment to maintaining even older versions of the language. Users running Python 3.9 through 3.12 should upgrade to the respective latest patch levels to mitigate the risks outlined above. For a complete list of changes and download links, visit the Python download page.