Cpython

Audit Event Bypass in CPython FileLoader before 3.15.0
CVE-2026-2297 - March 04, 2026

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Python CPython base64 altchars misuse in 3.13-3.15
CVE-2025-12781 - January 21, 2026

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

Incorrect Type Conversion or Cast

CVE-2024-9287: CPython venv CLI Command Injection via Unquoted Paths
CVE-2024-9287 - October 22, 2024

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Unquoted Search Path or Element

CPython ReDoS via Regex in tarfile Header Parsing
CVE-2024-6232 7.5 - High - September 03, 2024

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

ReDoS

CPython http.cookies Quadratic Complexity CPU Exhaustion (CVE20247592)
CVE-2024-7592 7.5 - High - August 19, 2024

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Resource Exhaustion

CPython Email Module Header Injection via Improper Newline Quoting
CVE-2024-6923 5.5 - Medium - August 01, 2024

There is a MEDIUM severity vulnerability affecting CPython. The email module didnt properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Code Injection

Python ipaddress CVE-2024-4032 incorrect is_private/is_global until v3.12.4
CVE-2024-4032 7.5 - High - June 17, 2024

The ipaddress module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as globally reachable or private. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldnt be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Incorrect Comparison

CVE-2024-0450: CPython <3.12.2 Vulnerable to ZipBombs via zipfile Module
CVE-2024-0450 6.2 - Medium - March 19, 2024

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to quoted-overlap zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Amplification

CPython 3.12.0 subprocess setgroups regression causes PID root privilege issue
CVE-2023-6507 4.9 - Medium - December 08, 2023

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

Python CPython v3.12.0a7 UAF via ascii_decode
CVE-2023-33595 5.5 - Medium - June 07, 2023

CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.

Dangling pointer