Python Releases Security Updates for Versions 3.9 Through 3.12

Overview of the Security Releases

Python has published new maintenance and security releases for its older yet widely used versions: 3.12.12, 3.11.14, 3.10.19, and 3.9.24. These updates focus on patching critical vulnerabilities in core libraries, including XML parsing, archive handling, and HTML parsing. While the latest Python 3.14.0 development branch gets attention, these releases ensure that the vast ecosystem of applications relying on stable versions remains secure.

Key Security Fixes Across All Versions

XML-Related Fixes

Two important XML security issues were addressed:

• CVE-2025-59375 in bundled libexpat: Updated to version 2.7.3 (gh-139312).
• Parent‐subparser garbage collection: Ensured that xml.parsers.expat parent parsers are not freed while still referenced by subparsers created through ExternalEntityParserCreate() (gh-139400).

Archive-Related Fixes

Two improvements in archive file validation prevent malicious archives from exploiting Python’s extraction logic:

• tarfile: Now validates that member offsets are non-negative (gh-130577).
• zipfile: Consistency checks for the ZIP64 End of Central Directory record; added support for records with “zip64 extensible data” when no bytes are prepended to the ZIP file (gh-139700).

HTML Parsing Fixes (gh-135661 and related)

The HTML parser (html.parser.HTMLParser) now conforms more closely to the HTML5 standard. A series of changes fix edge cases that could be exploited for denial of service or information leakage:

• Start and end tag parsing: Whitespace between </ and the tag name is no longer allowed; e.g., </ script> no longer ends a script section.
• Whitespace recognition: Only \t\n\r\f and space are treated as whitespace; vertical tab (\v) and non‐ASCII whitespace are not.
• Null character handling: U+0000 no longer terminates a tag name.
• End tag attributes: Attributes and slashes after the tag name in end tags are now ignored; e.g., </script/foo=">"/> correctly ends a script section.
• Multiple slashes and whitespace: Extra slashes/whitespace between the last attribute and closing > are ignored in both start and end tags (e.g., <a foo=bar/ //>).
• Attribute value parsing: Multiple = between attribute name and value are no longer collapsed; e.g., <a foo==bar> produces attribute foo with value =bar.
• CDATA section parsing: Fixed so that ]]> and ]] > no longer prematurely end CDATA sections. A private method _set_support_cdata() was added to configure parsing of <[CDATA[ either as a CDATA section (in SVG/MathML) or as a bogus comment.
• Comment parsing: --!> now ends a comment; -- > does not. Support for abnormally ended empty comments <--> and <--->.
• Quadratic complexity: Fixed a vulnerability in processing specially crafted input (gh-135462).
• End-of-file handling: According to HTML5 specs, comments and declarations are automatically closed; tags are ignored on EOF.
• Escapable raw text mode: Fixed support for textarea and title elements (gh-118350).
• Unclosed <script> in close(): No longer loses data when the script tag is not closed (gh-86155).

Specific Version Updates

Python 3.12.12

This release incorporates all the generic fixes described above plus version‐specific improvements. Download from the official Python 3.12.12 download page.

Python 3.11.14

In addition to the shared XML, archive, and HTML fixes, this version includes an important update:

• Setuptools update: The bundled copy of setuptools was upgraded to version 79.0.1 to address CVE-2025-47273 and CVE-2024-6345 (gh-135374).

Get the release from the Python downloads page.

Python 3.10.19

Version 3.10.19 contains the same core security patches as above. Check the Python 3.10.19 download page.

Python 3.9.24

Python 3.9.24 also benefits from all the shared fixes. Download from Python 3.9.24 download page.

Conclusion

While newer Python versions may attract more buzz, these security releases for versions 3.9 through 3.12 provide critical safeguards for production systems. Administrators and developers are strongly encouraged to upgrade promptly, especially to protect against the HTML parser vulnerability that could be exploited with crafted web content.