Python Security Vulnerabilities¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
Status of Python branches lists Python branches which get security fixes.
Total: 95 vulnerabilities.
Vulnerability | Disclosure | Fixed In | Vulnerable | CVE |
---|---|---|---|---|
Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple | 2023-03-24 | – | 3.10 3.7 3.8 3.9 |
CVE-2023-27043 |
urlparse does not correctly handle schemes | 2022-11-12 | 3.11.1 | 3.10 3.7 3.8 3.9 |
CVE-2023-24329 |
Buffer overflow in the _sha3 module in Python 3.10 and older | 2022-10-21 | 3.7.16 3.8.16 3.9.16 3.10.9 |
– | CVE-2022-37454 |
Slow IDNA decoding with large strings | 2022-10-19 | 3.7.16 3.8.16 3.9.16 3.10.9 3.11.1 |
– | CVE-2022-45061 |
Linux specific local privilege escalation via the multiprocessing forkserver start method | 2022-09-23 | 3.9.16 3.10.9 3.11.0 |
– | CVE-2022-42919 |
Prevent DoS by large str-int conversions | 2022-08-08 | 3.7.14 3.8.14 3.9.14 3.10.7 3.11.0 |
– | CVE-2020-10735 |
Windows: vulnerable zlib 1.2.11 | 2022-04-01 | 3.7.14 3.8.14 3.9.13 3.10.5 |
– | CVE-2018-25032 |
Windows: vulnerable bzip2 1.0.6 | 2021-07-02 | 3.7.13 3.8.13 3.9.11 3.10.3 |
– | CVE-2016-3189 CVE-2019-12900 |
CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0 | 2021-06-11 | 3.6.15 3.7.12 3.8.12 3.9.7 3.10.0 |
– | CVE-2013-0340 |
CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response | 2021-05-03 | 3.6.14 3.7.11 3.8.11 3.9.6 3.10.0 |
– | CVE-2021-3737 |
urllib.parse should sanitize urls containing ASCII newline and tabs. | 2021-04-18 | 3.6.14 3.7.11 3.8.11 3.9.5 3.10.0 |
– | CVE-2022-0391 |
ipaddress leading zeros in IPv4 address | 2021-03-30 | 3.8.12 3.9.5 3.10.0 |
– | CVE-2021-29921 |
ftplib should not use the host from the PASV response | 2021-02-21 | 3.6.14 3.7.11 3.8.9 3.9.3 3.10.0 |
– | – |
http.server: Open Redirection if the URL path starts with // | 2021-02-14 | 3.7.14 3.8.14 3.9.14 3.10.6 3.11.0 |
– | CVE-2021-28861 |
CVE-2021-3733: ReDoS in urllib.request | 2021-01-30 | 3.6.14 3.7.11 3.8.10 3.9.5 3.10.0 |
– | CVE-2021-3733 |
Information disclosure via pydoc getfile | 2021-01-21 | 3.6.14 3.7.11 3.8.9 3.9.3 3.10.0 |
– | CVE-2021-3426 |
urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator | 2021-01-19 | 3.6.13 3.7.10 3.8.8 3.9.2 3.10.0 |
– | CVE-2021-23336 |
ctypes: Buffer overflow in PyCArg_repr | 2021-01-16 | 3.6.13 3.7.10 3.8.8 3.9.2 3.10.0 |
– | CVE-2021-3177 |
CJK codecs tests call eval() on content retrieved via HTTP | 2020-10-05 | 3.6.13 3.7.10 3.8.7 3.9.1 3.10.0 |
– | CVE-2020-27619 |
[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface | 2020-06-17 | 3.5.10 3.6.12 3.7.9 3.8.4 3.9.0 |
– | CVE-2020-14422 |
http.client: HTTP Header Injection in the HTTP method | 2020-02-10 | 3.5.10 3.6.12 3.7.9 3.8.5 3.9.0 |
– | CVE-2020-26116 |
CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7 | 2020-01-21 | 3.6.11 3.7.7 3.8.2 3.9.0 |
– | CVE-2020-8315 |
Email header injection in Address objects | 2019-12-17 | 3.5.10 3.6.11 3.7.8 3.8.4 3.9.0 |
– | – |
Infinite loop in tarfile module while opening a crafted file | 2019-12-10 | 3.5.10 3.6.12 3.7.9 3.8.5 3.9.0 |
– | CVE-2019-20907 |
Remove newline characters from uu encoding methods | 2019-11-30 | 2.7.18 3.5.10 3.6.10 3.7.6 3.8.1 3.9.0 |
– | – |
urllib basic auth regex denial of service | 2019-11-17 | 3.5.10 3.6.11 3.7.8 3.8.3 3.9.0 |
– | CVE-2020-8492 |
Regular Expression Denial of Service in http.cookiejar | 2019-11-14 | 2.7.18 3.5.10 3.6.10 3.7.6 3.8.1 3.9.0 |
– | – |
CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() | 2019-10-24 | 2.7.18 3.5.10 3.6.11 3.7.8 3.8.3 3.9.0 |
– | CVE-2019-18348 |
Reflected XSS in DocXMLRPCServer | 2019-09-21 | 2.7.17 3.5.8 3.6.10 3.7.5 3.8.0 |
– | CVE-2019-16935 |
ssl.match_hostname() ignores extra string after whitespace in IPv4 address | 2019-07-01 | 3.7.4 3.8.0 |
– | – |
urlsplit does not handle NFKC normalization (second fix) | 2019-04-27 | 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 |
– | CVE-2019-10160 |
urlsplit does not handle NFKC normalization | 2019-03-06 | 2.7.17 3.5.7 3.6.9 3.7.3 3.8.0 |
– | CVE-2019-9636 |
urllib module local_file:// scheme | 2019-02-06 | 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 |
– | CVE-2019-9948 |
TALOS-2018-0758 SSL CRL distribution points Denial of Service | 2019-01-15 | 2.7.16 3.4.10 3.5.7 3.6.9 3.7.3 3.8.0 |
– | CVE-2019-5010 |
http.cookiejar: Incorrect validation of path | 2019-01-03 | 2.7.17 3.4.10 3.5.7 3.6.9 3.7.3 3.8.0 |
– | – |
xml package does not obey ignore_environment | 2018-09-24 | 2.7.16 3.4.10 3.5.7 3.6.8 3.7.2 3.8.0 |
– | – |
pickle.load denial of service | 2018-09-13 | 3.4.10 3.5.7 3.6.7 3.7.1 3.8.0 |
– | CVE-2018-20406 |
_elementree C accelerator doesn’t call XML_SetHashSalt() | 2018-09-10 | 2.7.16 3.4.10 3.5.7 3.6.7 3.7.1 3.8.0 |
– | CVE-2018-14647 |
email.utils.parseaddr mistakenly parse an email | 2018-07-19 | 2.7.17 3.5.8 3.6.10 3.7.5 3.8.0 |
– | CVE-2019-16056 |
Email folding function Denial-of-Service | 2018-05-16 | 3.6.9 3.7.4 3.8.0 |
– | – |
Buffer overflow vulnerability in os.symlink on Windows | 2018-03-05 | 3.4.9 3.5.6 3.6.5 3.7.0 |
– | CVE-2018-1000117 |
difflib and poplib catastrophic backtracking | 2018-03-02 | 2.7.15 3.4.9 3.5.6 3.6.5 3.7.0 |
– | CVE-2018-1060 CVE-2018-1061 |
Python 2.7 readahead is not thread safe | 2017-09-20 | 2.7.15 | – | CVE-2018-1000030 |
Expat 2.2.3 | 2017-07-17 | 2.7.14 3.3.7 3.4.8 3.5.5 3.6.3 3.7.0 |
– | – |
Environment variables injection in subprocess on Windows | 2017-06-22 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | – |
Expat 2.2.1 | 2017-06-17 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | CVE-2012-0876 CVE-2016-0718 CVE-2016-9063 CVE-2017-9233 |
PyString_DecodeEscape integer overflow | 2017-06-13 | 2.7.14 3.4.8 3.5.5 |
– | CVE-2017-1000158 |
bpo-30500: urllib connects to a wrong host | 2017-05-29 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | – |
HTTP Header Injection (follow-up of CVE-2016-5699) | 2017-05-24 | 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 |
– | CVE-2019-9740 CVE-2019-9947 |
Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path | 2017-03-10 | 3.5.10 3.6.12 3.7.9 3.8.4 3.9.0 |
– | CVE-2020-15523 |
urllib FTP protocol stream injection | 2017-02-20 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.3 3.7.0 |
– | – |
Expat 2.2 (Expat bug #537) | 2017-02-17 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | CVE-2016-0718 CVE-2016-4472 |
Zlib 1.2.11 | 2017-01-05 | 2.7.14 3.4.8 3.5.4 3.6.1 3.7.0 |
– | CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 |
gettext.c2py() | 2016-10-30 | 2.7.13 3.3.7 3.4.6 3.5.3 3.6.0 |
– | – |
Sweet32 attack (DES, 3DES) | 2016-08-24 | 2.7.13 3.4.7 3.5.3 3.6.0 |
– | CVE-2016-2183 |
HTTPoxy attack | 2016-07-18 | 2.7.13 3.3.7 3.4.6 3.5.3 3.6.0 |
– | CVE-2016-1000110 |
smtplib TLS stripping | 2016-06-11 | 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 |
– | CVE-2016-0772 |
Issue #26657: HTTP server directory traversal | 2016-03-28 | 2.7.12 3.3.7 3.4.7 3.5.2 3.6.0 |
– | – |
Issue #26556: Expat 2.1.1 | 2016-03-14 | 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 |
– | CVE-2015-1283 |
zipimporter overflow | 2016-01-21 | 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 |
– | CVE-2016-5636 |
mailcap shell command injection | 2015-08-02 | 3.7.16 3.8.16 3.9.16 3.10.8 3.11.0 |
– | CVE-2015-20107 |
HTTP header injection | 2014-11-24 | 2.7.10 3.3.7 3.4.4 3.5.0 |
– | CVE-2016-5699 |
Validate TLS certificate | 2014-08-28 | 2.7.9 3.4.3 3.5.0 |
– | CVE-2014-9365 |
buffer() integer overflows | 2014-06-24 | 2.7.8 | – | CVE-2014-7185 |
JSONDecoder.raw_decode | 2014-04-13 | 2.7.7 3.2.6 3.3.6 3.4.1 3.5.0 |
– | CVE-2014-4616 |
os.makedirs() not thread-safe | 2014-03-28 | 3.2.6 3.3.6 3.4.1 3.5.0 |
– | CVE-2014-2667 |
socket.recvfrom_into() overflow | 2014-01-14 | 2.7.7 3.2.6 3.3.4 3.4.0 |
– | CVE-2014-1912 |
zipfile DoS using invalid file size | 2013-12-27 | 3.3.4 3.4.0 |
– | CVE-2013-7338 |
CGI directory traversal (URL parsing) | 2013-10-29 | 2.7.6 3.2.6 3.3.4 3.4.0 |
– | – |
ssl: NULL in subjectAltNames | 2013-06-27 | 2.6.9 2.7.6 3.2.6 3.3.3 3.4.0 |
– | CVE-2013-4238 |
ssl.match_hostname() IDNA issue | 2013-05-17 | 3.3.3 3.4.0 |
– | CVE-2013-7440 |
ssl.match_hostname() wildcard DoS | 2013-05-15 | 3.2.6 3.3.3 3.4.0 |
– | CVE-2013-2099 |
Limit imaplib.IMAP4_SSL.readline() | 2012-09-25 | 2.7.16 | – | CVE-2013-1752 |
ftplib unlimited read | 2012-09-25 | 2.7.6 3.2.6 3.3.3 3.4.0 |
– | CVE-2013-1752 |
nntplib unlimited read | 2012-09-25 | 2.6.9 2.7.6 3.2.6 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1752 |
poplib unlimited read | 2012-09-25 | 2.7.9 3.2.6 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1752 |
smtplib unlimited read | 2012-09-25 | 2.7.9 3.2.6 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1752 |
xmlrpc gzip unlimited read | 2012-09-25 | 2.7.9 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1753 |
Hash function not randomized properly | 2012-04-19 | 3.4.0 | – | CVE-2013-7040 |
Vulnerability in the utf-16 decoder after error handling | 2012-04-14 | 2.7.4 3.2.4 3.3.0 |
– | CVE-2012-2135 |
XML-RPC DoS | 2012-02-13 | 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 |
– | CVE-2012-0845 |
ssl CBC IV attack | 2012-01-27 | 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 |
– | CVE-2011-3389 |
Hash DoS | 2011-12-28 | 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 |
– | CVE-2012-1150 |
pypirc created insecurely | 2011-11-30 | 2.7.4 3.2.4 3.3.1 3.4.0 |
– | CVE-2011-4944 |
urllib redirect | 2011-03-24 | 2.5.6 2.6.7 2.7.2 3.1.4 3.2.1 3.3.0 |
– | CVE-2011-1521 |
SimpleHTTPServer UTF-7 | 2011-03-08 | 2.5.6 2.6.7 2.7.2 3.2.4 3.3.1 3.4.0 |
– | CVE-2011-4940 |
audioop integer overflows | 2010-05-10 | 2.6.6 2.7.0 3.1.3 3.2.0 |
– | CVE-2010-1634 |
audioop input validation | 2010-01-11 | 2.6.6 2.7.2 3.1.3 3.2.0 |
– | CVE-2010-2089 |
httplib unlimited read | 2009-08-28 | 2.7.2 3.1.4 3.2.0 |
– | CVE-2013-1752 |
smtpd accept bug and race condition | 2009-08-14 | 2.7.1 3.1.3 3.2.0 |
– | CVE-2010-3492 CVE-2010-3493 |
Multiple integer overflows (Apple) | 2008-07-31 | 2.6.0 3.0.0 |
– | CVE-2008-1679 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3144 CVE-2008-4864 |
Multiple integer overflows (Google) | 2008-04-11 | 2.5.3 2.6.0 3.0.0 |
– | CVE-2008-3143 |
expandtab() integer overflow | 2008-03-11 | 2.5.3 2.6.0 3.0.0 |
– | CVE-2008-5031 |
CGI directory traversal (is_cgi() function) | 2008-03-07 | 2.7.0 3.2.4 3.3.1 3.4.0 |
– | CVE-2011-1015 |
rgbimg and imageop overflows | 2007-09-16 | 2.5.3 2.6.0 |
– | CVE-2007-4965 CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 |
Table of Contents:
- Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple
- urlparse does not correctly handle schemes
- Buffer overflow in the _sha3 module in Python 3.10 and older
- Slow IDNA decoding with large strings
- Linux specific local privilege escalation via the multiprocessing forkserver start method
- Prevent DoS by large str-int conversions
- Windows: vulnerable zlib 1.2.11
- Windows: vulnerable bzip2 1.0.6
- CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0
- CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response
- urllib.parse should sanitize urls containing ASCII newline and tabs.
- ipaddress leading zeros in IPv4 address
- ftplib should not use the host from the PASV response
- http.server: Open Redirection if the URL path starts with //
- CVE-2021-3733: ReDoS in urllib.request
- Information disclosure via pydoc getfile
- urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator
- ctypes: Buffer overflow in PyCArg_repr
- CJK codecs tests call eval() on content retrieved via HTTP
- [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface
- http.client: HTTP Header Injection in the HTTP method
- CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7
- Email header injection in Address objects
- Infinite loop in tarfile module while opening a crafted file
- Remove newline characters from uu encoding methods
- urllib basic auth regex denial of service
- Regular Expression Denial of Service in http.cookiejar
- CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()
- Reflected XSS in DocXMLRPCServer
- ssl.match_hostname() ignores extra string after whitespace in IPv4 address
- urlsplit does not handle NFKC normalization (second fix)
- urlsplit does not handle NFKC normalization
- urllib module local_file:// scheme
- TALOS-2018-0758 SSL CRL distribution points Denial of Service
- http.cookiejar: Incorrect validation of path
- xml package does not obey ignore_environment
- pickle.load denial of service
- _elementree C accelerator doesn’t call XML_SetHashSalt()
- email.utils.parseaddr mistakenly parse an email
- Email folding function Denial-of-Service
- Buffer overflow vulnerability in os.symlink on Windows
- difflib and poplib catastrophic backtracking
- Python 2.7 readahead is not thread safe
- Expat 2.2.3
- Environment variables injection in subprocess on Windows
- Expat 2.2.1
- PyString_DecodeEscape integer overflow
- bpo-30500: urllib connects to a wrong host
- HTTP Header Injection (follow-up of CVE-2016-5699)
- Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path
- urllib FTP protocol stream injection
- Expat 2.2 (Expat bug #537)
- Zlib 1.2.11
- gettext.c2py()
- Sweet32 attack (DES, 3DES)
- HTTPoxy attack
- smtplib TLS stripping
- Issue #26657: HTTP server directory traversal
- Issue #26556: Expat 2.1.1
- zipimporter overflow
- mailcap shell command injection
- HTTP header injection
- Validate TLS certificate
- buffer() integer overflows
- JSONDecoder.raw_decode
- os.makedirs() not thread-safe
- socket.recvfrom_into() overflow
- zipfile DoS using invalid file size
- CGI directory traversal (URL parsing)
- ssl: NULL in subjectAltNames
- ssl.match_hostname() IDNA issue
- ssl.match_hostname() wildcard DoS
- Limit imaplib.IMAP4_SSL.readline()
- ftplib unlimited read
- nntplib unlimited read
- poplib unlimited read
- smtplib unlimited read
- xmlrpc gzip unlimited read
- Hash function not randomized properly
- Vulnerability in the utf-16 decoder after error handling
- XML-RPC DoS
- ssl CBC IV attack
- Hash DoS
- pypirc created insecurely
- urllib redirect
- SimpleHTTPServer UTF-7
- audioop integer overflows
- audioop input validation
- httplib unlimited read
- smtpd accept bug and race condition
- Multiple integer overflows (Apple)
- Multiple integer overflows (Google)
- expandtab() integer overflow
- CGI directory traversal (is_cgi() function)
- rgbimg and imageop overflows