Python Security Vulnerabilities

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Status of Python branches lists Python branches which get security fixes.

Total: 95 vulnerabilities.

Vulnerability Disclosure Fixed In Vulnerable CVE
Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple 2023-03-24 3.10
3.7
3.8
3.9		 CVE-2023-27043
urlparse does not correctly handle schemes 2022-11-12 3.11.1 3.10
3.7
3.8
3.9		 CVE-2023-24329
Buffer overflow in the _sha3 module in Python 3.10 and older 2022-10-21 3.7.16
3.8.16
3.9.16
3.10.9		 CVE-2022-37454
Slow IDNA decoding with large strings 2022-10-19 3.7.16
3.8.16
3.9.16
3.10.9
3.11.1		 CVE-2022-45061
Linux specific local privilege escalation via the multiprocessing forkserver start method 2022-09-23 3.9.16
3.10.9
3.11.0		 CVE-2022-42919
Prevent DoS by large str-int conversions 2022-08-08 3.7.14
3.8.14
3.9.14
3.10.7
3.11.0		 CVE-2020-10735
Windows: vulnerable zlib 1.2.11 2022-04-01 3.7.14
3.8.14
3.9.13
3.10.5		 CVE-2018-25032
Windows: vulnerable bzip2 1.0.6 2021-07-02 3.7.13
3.8.13
3.9.11
3.10.3		 CVE-2016-3189
CVE-2019-12900
CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0 2021-06-11 3.6.15
3.7.12
3.8.12
3.9.7
3.10.0		 CVE-2013-0340
CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response 2021-05-03 3.6.14
3.7.11
3.8.11
3.9.6
3.10.0		 CVE-2021-3737
urllib.parse should sanitize urls containing ASCII newline and tabs. 2021-04-18 3.6.14
3.7.11
3.8.11
3.9.5
3.10.0		 CVE-2022-0391
ipaddress leading zeros in IPv4 address 2021-03-30 3.8.12
3.9.5
3.10.0		 CVE-2021-29921
ftplib should not use the host from the PASV response 2021-02-21 3.6.14
3.7.11
3.8.9
3.9.3
3.10.0
http.server: Open Redirection if the URL path starts with // 2021-02-14 3.7.14
3.8.14
3.9.14
3.10.6
3.11.0		 CVE-2021-28861
CVE-2021-3733: ReDoS in urllib.request 2021-01-30 3.6.14
3.7.11
3.8.10
3.9.5
3.10.0		 CVE-2021-3733
Information disclosure via pydoc getfile 2021-01-21 3.6.14
3.7.11
3.8.9
3.9.3
3.10.0		 CVE-2021-3426
urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator 2021-01-19 3.6.13
3.7.10
3.8.8
3.9.2
3.10.0		 CVE-2021-23336
ctypes: Buffer overflow in PyCArg_repr 2021-01-16 3.6.13
3.7.10
3.8.8
3.9.2
3.10.0		 CVE-2021-3177
CJK codecs tests call eval() on content retrieved via HTTP 2020-10-05 3.6.13
3.7.10
3.8.7
3.9.1
3.10.0		 CVE-2020-27619
[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface 2020-06-17 3.5.10
3.6.12
3.7.9
3.8.4
3.9.0		 CVE-2020-14422
http.client: HTTP Header Injection in the HTTP method 2020-02-10 3.5.10
3.6.12
3.7.9
3.8.5
3.9.0		 CVE-2020-26116
CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7 2020-01-21 3.6.11
3.7.7
3.8.2
3.9.0		 CVE-2020-8315
Email header injection in Address objects 2019-12-17 3.5.10
3.6.11
3.7.8
3.8.4
3.9.0
Infinite loop in tarfile module while opening a crafted file 2019-12-10 3.5.10
3.6.12
3.7.9
3.8.5
3.9.0		 CVE-2019-20907
Remove newline characters from uu encoding methods 2019-11-30 2.7.18
3.5.10
3.6.10
3.7.6
3.8.1
3.9.0
urllib basic auth regex denial of service 2019-11-17 3.5.10
3.6.11
3.7.8
3.8.3
3.9.0		 CVE-2020-8492
Regular Expression Denial of Service in http.cookiejar 2019-11-14 2.7.18
3.5.10
3.6.10
3.7.6
3.8.1
3.9.0
CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() 2019-10-24 2.7.18
3.5.10
3.6.11
3.7.8
3.8.3
3.9.0		 CVE-2019-18348
Reflected XSS in DocXMLRPCServer 2019-09-21 2.7.17
3.5.8
3.6.10
3.7.5
3.8.0		 CVE-2019-16935
ssl.match_hostname() ignores extra string after whitespace in IPv4 address 2019-07-01 3.7.4
3.8.0
urlsplit does not handle NFKC normalization (second fix) 2019-04-27 2.7.17
3.5.8
3.6.9
3.7.4
3.8.0		 CVE-2019-10160
urlsplit does not handle NFKC normalization 2019-03-06 2.7.17
3.5.7
3.6.9
3.7.3
3.8.0		 CVE-2019-9636
urllib module local_file:// scheme 2019-02-06 2.7.17
3.5.8
3.6.9
3.7.4
3.8.0		 CVE-2019-9948
TALOS-2018-0758 SSL CRL distribution points Denial of Service 2019-01-15 2.7.16
3.4.10
3.5.7
3.6.9
3.7.3
3.8.0		 CVE-2019-5010
http.cookiejar: Incorrect validation of path 2019-01-03 2.7.17
3.4.10
3.5.7
3.6.9
3.7.3
3.8.0
xml package does not obey ignore_environment 2018-09-24 2.7.16
3.4.10
3.5.7
3.6.8
3.7.2
3.8.0
pickle.load denial of service 2018-09-13 3.4.10
3.5.7
3.6.7
3.7.1
3.8.0		 CVE-2018-20406
_elementree C accelerator doesn’t call XML_SetHashSalt() 2018-09-10 2.7.16
3.4.10
3.5.7
3.6.7
3.7.1
3.8.0		 CVE-2018-14647
email.utils.parseaddr mistakenly parse an email 2018-07-19 2.7.17
3.5.8
3.6.10
3.7.5
3.8.0		 CVE-2019-16056
Email folding function Denial-of-Service 2018-05-16 3.6.9
3.7.4
3.8.0
Buffer overflow vulnerability in os.symlink on Windows 2018-03-05 3.4.9
3.5.6
3.6.5
3.7.0		 CVE-2018-1000117
difflib and poplib catastrophic backtracking 2018-03-02 2.7.15
3.4.9
3.5.6
3.6.5
3.7.0		 CVE-2018-1060
CVE-2018-1061
Python 2.7 readahead is not thread safe 2017-09-20 2.7.15 CVE-2018-1000030
Expat 2.2.3 2017-07-17 2.7.14
3.3.7
3.4.8
3.5.5
3.6.3
3.7.0
Environment variables injection in subprocess on Windows 2017-06-22 2.7.14
3.3.7
3.4.7
3.5.4
3.6.2
3.7.0
Expat 2.2.1 2017-06-17 2.7.14
3.3.7
3.4.7
3.5.4
3.6.2
3.7.0		 CVE-2012-0876
CVE-2016-0718
CVE-2016-9063
CVE-2017-9233
PyString_DecodeEscape integer overflow 2017-06-13 2.7.14
3.4.8
3.5.5		 CVE-2017-1000158
bpo-30500: urllib connects to a wrong host 2017-05-29 2.7.14
3.3.7
3.4.7
3.5.4
3.6.2
3.7.0
HTTP Header Injection (follow-up of CVE-2016-5699) 2017-05-24 2.7.17
3.5.8
3.6.9
3.7.4
3.8.0		 CVE-2019-9740
CVE-2019-9947
Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path 2017-03-10 3.5.10
3.6.12
3.7.9
3.8.4
3.9.0		 CVE-2020-15523
urllib FTP protocol stream injection 2017-02-20 2.7.14
3.3.7
3.4.7
3.5.4
3.6.3
3.7.0
Expat 2.2 (Expat bug #537) 2017-02-17 2.7.14
3.3.7
3.4.7
3.5.4
3.6.2
3.7.0		 CVE-2016-0718
CVE-2016-4472
Zlib 1.2.11 2017-01-05 2.7.14
3.4.8
3.5.4
3.6.1
3.7.0		 CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843
gettext.c2py() 2016-10-30 2.7.13
3.3.7
3.4.6
3.5.3
3.6.0
Sweet32 attack (DES, 3DES) 2016-08-24 2.7.13
3.4.7
3.5.3
3.6.0		 CVE-2016-2183
HTTPoxy attack 2016-07-18 2.7.13
3.3.7
3.4.6
3.5.3
3.6.0		 CVE-2016-1000110
smtplib TLS stripping 2016-06-11 2.7.12
3.3.7
3.4.5
3.5.2
3.6.0		 CVE-2016-0772
Issue #26657: HTTP server directory traversal 2016-03-28 2.7.12
3.3.7
3.4.7
3.5.2
3.6.0
Issue #26556: Expat 2.1.1 2016-03-14 2.7.12
3.3.7
3.4.5
3.5.2
3.6.0		 CVE-2015-1283
zipimporter overflow 2016-01-21 2.7.12
3.3.7
3.4.5
3.5.2
3.6.0		 CVE-2016-5636
mailcap shell command injection 2015-08-02 3.7.16
3.8.16
3.9.16
3.10.8
3.11.0		 CVE-2015-20107
HTTP header injection 2014-11-24 2.7.10
3.3.7
3.4.4
3.5.0		 CVE-2016-5699
Validate TLS certificate 2014-08-28 2.7.9
3.4.3
3.5.0		 CVE-2014-9365
buffer() integer overflows 2014-06-24 2.7.8 CVE-2014-7185
JSONDecoder.raw_decode 2014-04-13 2.7.7
3.2.6
3.3.6
3.4.1
3.5.0		 CVE-2014-4616
os.makedirs() not thread-safe 2014-03-28 3.2.6
3.3.6
3.4.1
3.5.0		 CVE-2014-2667
socket.recvfrom_into() overflow 2014-01-14 2.7.7
3.2.6
3.3.4
3.4.0		 CVE-2014-1912
zipfile DoS using invalid file size 2013-12-27 3.3.4
3.4.0		 CVE-2013-7338
CGI directory traversal (URL parsing) 2013-10-29 2.7.6
3.2.6
3.3.4
3.4.0
ssl: NULL in subjectAltNames 2013-06-27 2.6.9
2.7.6
3.2.6
3.3.3
3.4.0		 CVE-2013-4238
ssl.match_hostname() IDNA issue 2013-05-17 3.3.3
3.4.0		 CVE-2013-7440
ssl.match_hostname() wildcard DoS 2013-05-15 3.2.6
3.3.3
3.4.0		 CVE-2013-2099
Limit imaplib.IMAP4_SSL.readline() 2012-09-25 2.7.16 CVE-2013-1752
ftplib unlimited read 2012-09-25 2.7.6
3.2.6
3.3.3
3.4.0		 CVE-2013-1752
nntplib unlimited read 2012-09-25 2.6.9
2.7.6
3.2.6
3.3.7
3.4.3
3.5.0		 CVE-2013-1752
poplib unlimited read 2012-09-25 2.7.9
3.2.6
3.3.7
3.4.3
3.5.0		 CVE-2013-1752
smtplib unlimited read 2012-09-25 2.7.9
3.2.6
3.3.7
3.4.3
3.5.0		 CVE-2013-1752
xmlrpc gzip unlimited read 2012-09-25 2.7.9
3.3.7
3.4.3
3.5.0		 CVE-2013-1753
Hash function not randomized properly 2012-04-19 3.4.0 CVE-2013-7040
Vulnerability in the utf-16 decoder after error handling 2012-04-14 2.7.4
3.2.4
3.3.0		 CVE-2012-2135
XML-RPC DoS 2012-02-13 2.6.8
2.7.3
3.1.5
3.2.3
3.3.0		 CVE-2012-0845
ssl CBC IV attack 2012-01-27 2.6.8
2.7.3
3.1.5
3.2.3
3.3.0		 CVE-2011-3389
Hash DoS 2011-12-28 2.6.8
2.7.3
3.1.5
3.2.3
3.3.0		 CVE-2012-1150
pypirc created insecurely 2011-11-30 2.7.4
3.2.4
3.3.1
3.4.0		 CVE-2011-4944
urllib redirect 2011-03-24 2.5.6
2.6.7
2.7.2
3.1.4
3.2.1
3.3.0		 CVE-2011-1521
SimpleHTTPServer UTF-7 2011-03-08 2.5.6
2.6.7
2.7.2
3.2.4
3.3.1
3.4.0		 CVE-2011-4940
audioop integer overflows 2010-05-10 2.6.6
2.7.0
3.1.3
3.2.0		 CVE-2010-1634
audioop input validation 2010-01-11 2.6.6
2.7.2
3.1.3
3.2.0		 CVE-2010-2089
httplib unlimited read 2009-08-28 2.7.2
3.1.4
3.2.0		 CVE-2013-1752
smtpd accept bug and race condition 2009-08-14 2.7.1
3.1.3
3.2.0		 CVE-2010-3492
CVE-2010-3493
Multiple integer overflows (Apple) 2008-07-31 2.6.0
3.0.0		 CVE-2008-1679
CVE-2008-1721
CVE-2008-1887
CVE-2008-2315
CVE-2008-2316
CVE-2008-3142
CVE-2008-3144
CVE-2008-4864
Multiple integer overflows (Google) 2008-04-11 2.5.3
2.6.0
3.0.0		 CVE-2008-3143
expandtab() integer overflow 2008-03-11 2.5.3
2.6.0
3.0.0		 CVE-2008-5031
CGI directory traversal (is_cgi() function) 2008-03-07 2.7.0
3.2.4
3.3.1
3.4.0		 CVE-2011-1015
rgbimg and imageop overflows 2007-09-16 2.5.3
2.6.0		 CVE-2007-4965
CVE-2009-4134
CVE-2010-1449
CVE-2010-1450

Table of Contents: