Python Releases Security Updates for Versions 3.9 Through 3.12
Overview of the Security Releases
Python has published new maintenance and security releases for its older yet widely used versions: 3.12.12, 3.11.14, 3.10.19, and 3.9.24. These updates focus on patching critical vulnerabilities in core libraries, including XML parsing, archive handling, and HTML parsing. While the latest Python 3.14.0 development branch gets attention, these releases ensure that the vast ecosystem of applications relying on stable versions remains secure.
Key Security Fixes Across All Versions
XML-Related Fixes
Two important XML security issues were addressed:
- CVE-2025-59375 in bundled
libexpat: Updated to version 2.7.3 (gh-139312). - Parent‐subparser garbage collection: Ensured that
xml.parsers.expatparent parsers are not freed while still referenced by subparsers created throughExternalEntityParserCreate()(gh-139400).
Archive-Related Fixes
Two improvements in archive file validation prevent malicious archives from exploiting Python’s extraction logic:
- tarfile: Now validates that member offsets are non-negative (gh-130577).
- zipfile: Consistency checks for the ZIP64 End of Central Directory record; added support for records with “zip64 extensible data” when no bytes are prepended to the ZIP file (gh-139700).
HTML Parsing Fixes (gh-135661 and related)
The HTML parser (html.parser.HTMLParser) now conforms more closely to the HTML5 standard. A series of changes fix edge cases that could be exploited for denial of service or information leakage:
- Start and end tag parsing: Whitespace between
</and the tag name is no longer allowed; e.g.,</ script>no longer ends a script section. - Whitespace recognition: Only
\t\n\r\fand space are treated as whitespace; vertical tab (\v) and non‐ASCII whitespace are not. - Null character handling: U+0000 no longer terminates a tag name.
- End tag attributes: Attributes and slashes after the tag name in end tags are now ignored; e.g.,
</script/foo=">"/>correctly ends a script section. - Multiple slashes and whitespace: Extra slashes/whitespace between the last attribute and closing
>are ignored in both start and end tags (e.g.,<a foo=bar/ //>). - Attribute value parsing: Multiple
=between attribute name and value are no longer collapsed; e.g.,<a foo==bar>produces attributefoowith value=bar. - CDATA section parsing: Fixed so that
]]>and]] >no longer prematurely end CDATA sections. A private method_set_support_cdata()was added to configure parsing of<[CDATA[either as a CDATA section (in SVG/MathML) or as a bogus comment. - Comment parsing:
--!>now ends a comment;-- >does not. Support for abnormally ended empty comments<-->and<--->. - Quadratic complexity: Fixed a vulnerability in processing specially crafted input (gh-135462).
- End-of-file handling: According to HTML5 specs, comments and declarations are automatically closed; tags are ignored on EOF.
- Escapable raw text mode: Fixed support for
textareaandtitleelements (gh-118350). - Unclosed <script> in
close(): No longer loses data when the script tag is not closed (gh-86155).
Specific Version Updates
Python 3.12.12
This release incorporates all the generic fixes described above plus version‐specific improvements. Download from the official Python 3.12.12 download page.
Python 3.11.14
In addition to the shared XML, archive, and HTML fixes, this version includes an important update:
- Setuptools update: The bundled copy of setuptools was upgraded to version 79.0.1 to address CVE-2025-47273 and CVE-2024-6345 (gh-135374).
Get the release from the Python downloads page.
Python 3.10.19
Version 3.10.19 contains the same core security patches as above. Check the Python 3.10.19 download page.
Python 3.9.24
Python 3.9.24 also benefits from all the shared fixes. Download from Python 3.9.24 download page.
Conclusion
While newer Python versions may attract more buzz, these security releases for versions 3.9 through 3.12 provide critical safeguards for production systems. Administrators and developers are strongly encouraged to upgrade promptly, especially to protect against the HTML parser vulnerability that could be exploited with crafted web content.