Python Security Vulnerabilities¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.
Status of Python branches lists Python branches which get security fixes.
Total: 95 vulnerabilities.
Vulnerability |
Disclosure |
Fixed In |
Vulnerable |
CVE |
|---|---|---|---|---|
Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple |
2023-03-24 |
– |
3.10 |
CVE-2023-27043 |
2022-11-12 |
3.11.1 |
3.10 |
CVE-2023-24329 |
|
Buffer overflow in the _sha3 module in Python 3.10 and older |
2022-10-21 |
3.7.16 |
– |
CVE-2022-37454 |
2022-10-19 |
3.7.16 |
– |
CVE-2022-45061 |
|
Linux specific local privilege escalation via the multiprocessing forkserver start method |
2022-09-23 |
3.9.16 |
– |
CVE-2022-42919 |
2022-08-08 |
3.7.14 |
– |
CVE-2020-10735 |
|
2022-04-01 |
3.7.14 |
– |
CVE-2018-25032 |
|
2021-07-02 |
3.7.13 |
– |
CVE-2016-3189 |
|
2021-06-11 |
3.6.15 |
– |
CVE-2013-0340 |
|
CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response |
2021-05-03 |
3.6.14 |
– |
CVE-2021-3737 |
urllib.parse should sanitize urls containing ASCII newline and tabs. |
2021-04-18 |
3.6.14 |
– |
CVE-2022-0391 |
2021-03-30 |
3.8.12 |
– |
CVE-2021-29921 |
|
2021-02-21 |
3.6.14 |
– |
– |
|
http.server: Open Redirection if the URL path starts with // |
2021-02-14 |
3.7.14 |
– |
CVE-2021-28861 |
2021-01-30 |
3.6.14 |
– |
CVE-2021-3733 |
|
2021-01-21 |
3.6.14 |
– |
CVE-2021-3426 |
|
urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator |
2021-01-19 |
3.6.13 |
– |
CVE-2021-23336 |
2021-01-16 |
3.6.13 |
– |
CVE-2021-3177 |
|
2020-10-05 |
3.6.13 |
– |
CVE-2020-27619 |
|
[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface |
2020-06-17 |
3.5.10 |
– |
CVE-2020-14422 |
2020-02-10 |
3.5.10 |
– |
CVE-2020-26116 |
|
CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7 |
2020-01-21 |
3.6.11 |
– |
CVE-2020-8315 |
2019-12-17 |
3.5.10 |
– |
– |
|
Infinite loop in tarfile module while opening a crafted file |
2019-12-10 |
3.5.10 |
– |
CVE-2019-20907 |
2019-11-30 |
2.7.18 |
– |
– |
|
2019-11-17 |
3.5.10 |
– |
CVE-2020-8492 |
|
2019-11-14 |
2.7.18 |
– |
– |
|
CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() |
2019-10-24 |
2.7.18 |
– |
CVE-2019-18348 |
2019-09-21 |
2.7.17 |
– |
CVE-2019-16935 |
|
ssl.match_hostname() ignores extra string after whitespace in IPv4 address |
2019-07-01 |
3.7.4 |
– |
– |
2019-04-27 |
2.7.17 |
– |
CVE-2019-10160 |
|
2019-03-06 |
2.7.17 |
– |
CVE-2019-9636 |
|
2019-02-06 |
2.7.17 |
– |
CVE-2019-9948 |
|
TALOS-2018-0758 SSL CRL distribution points Denial of Service |
2019-01-15 |
2.7.16 |
– |
CVE-2019-5010 |
2019-01-03 |
2.7.17 |
– |
– |
|
2018-09-24 |
2.7.16 |
– |
– |
|
2018-09-13 |
3.4.10 |
– |
CVE-2018-20406 |
|
2018-09-10 |
2.7.16 |
– |
CVE-2018-14647 |
|
2018-07-19 |
2.7.17 |
– |
CVE-2019-16056 |
|
2018-05-16 |
3.6.9 |
– |
– |
|
2018-03-05 |
3.4.9 |
– |
CVE-2018-1000117 |
|
2018-03-02 |
2.7.15 |
– |
CVE-2018-1060 |
|
2017-09-20 |
2.7.15 |
– |
CVE-2018-1000030 |
|
2017-07-17 |
2.7.14 |
– |
– |
|
2017-06-22 |
2.7.14 |
– |
– |
|
2017-06-17 |
2.7.14 |
– |
CVE-2012-0876 |
|
2017-06-13 |
2.7.14 |
– |
CVE-2017-1000158 |
|
2017-05-29 |
2.7.14 |
– |
– |
|
2017-05-24 |
2.7.17 |
– |
CVE-2019-9740 |
|
2017-03-10 |
3.5.10 |
– |
CVE-2020-15523 |
|
2017-02-20 |
2.7.14 |
– |
– |
|
2017-02-17 |
2.7.14 |
– |
CVE-2016-0718 |
|
2017-01-05 |
2.7.14 |
– |
CVE-2016-9840 |
|
2016-10-30 |
2.7.13 |
– |
– |
|
2016-08-24 |
2.7.13 |
– |
CVE-2016-2183 |
|
2016-07-18 |
2.7.13 |
– |
CVE-2016-1000110 |
|
2016-06-11 |
2.7.12 |
– |
CVE-2016-0772 |
|
2016-03-28 |
2.7.12 |
– |
– |
|
2016-03-14 |
2.7.12 |
– |
CVE-2015-1283 |
|
2016-01-21 |
2.7.12 |
– |
CVE-2016-5636 |
|
2015-08-02 |
3.7.16 |
– |
CVE-2015-20107 |
|
2014-11-24 |
2.7.10 |
– |
CVE-2016-5699 |
|
2014-08-28 |
2.7.9 |
– |
CVE-2014-9365 |
|
2014-06-24 |
2.7.8 |
– |
CVE-2014-7185 |
|
2014-04-13 |
2.7.7 |
– |
CVE-2014-4616 |
|
2014-03-28 |
3.2.6 |
– |
CVE-2014-2667 |
|
2014-01-14 |
2.7.7 |
– |
CVE-2014-1912 |
|
2013-12-27 |
3.3.4 |
– |
CVE-2013-7338 |
|
2013-10-29 |
2.7.6 |
– |
– |
|
2013-06-27 |
2.6.9 |
– |
CVE-2013-4238 |
|
2013-05-17 |
3.3.3 |
– |
CVE-2013-7440 |
|
2013-05-15 |
3.2.6 |
– |
CVE-2013-2099 |
|
2012-09-25 |
2.7.16 |
– |
CVE-2013-1752 |
|
2012-09-25 |
2.7.6 |
– |
CVE-2013-1752 |
|
2012-09-25 |
2.6.9 |
– |
CVE-2013-1752 |
|
2012-09-25 |
2.7.9 |
– |
CVE-2013-1752 |
|
2012-09-25 |
2.7.9 |
– |
CVE-2013-1752 |
|
2012-09-25 |
2.7.9 |
– |
CVE-2013-1753 |
|
2012-04-19 |
3.4.0 |
– |
CVE-2013-7040 |
|
2012-04-14 |
2.7.4 |
– |
CVE-2012-2135 |
|
2012-02-13 |
2.6.8 |
– |
CVE-2012-0845 |
|
2012-01-27 |
2.6.8 |
– |
CVE-2011-3389 |
|
2011-12-28 |
2.6.8 |
– |
CVE-2012-1150 |
|
2011-11-30 |
2.7.4 |
– |
CVE-2011-4944 |
|
2011-03-24 |
2.5.6 |
– |
CVE-2011-1521 |
|
2011-03-08 |
2.5.6 |
– |
CVE-2011-4940 |
|
2010-05-10 |
2.6.6 |
– |
CVE-2010-1634 |
|
2010-01-11 |
2.6.6 |
– |
CVE-2010-2089 |
|
2009-08-28 |
2.7.2 |
– |
CVE-2013-1752 |
|
2009-08-14 |
2.7.1 |
– |
CVE-2010-3492 |
|
2008-07-31 |
2.6.0 |
– |
CVE-2008-1679 |
|
2008-04-11 |
2.5.3 |
– |
CVE-2008-3143 |
|
2008-03-11 |
2.5.3 |
– |
CVE-2008-5031 |
|
2008-03-07 |
2.7.0 |
– |
CVE-2011-1015 |
|
2007-09-16 |
2.5.3 |
– |
CVE-2007-4965 |
Table of Contents:
- Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple
- urlparse does not correctly handle schemes
- Buffer overflow in the _sha3 module in Python 3.10 and older
- Slow IDNA decoding with large strings
- Linux specific local privilege escalation via the multiprocessing forkserver start method
- Prevent DoS by large str-int conversions
- Windows: vulnerable zlib 1.2.11
- Windows: vulnerable bzip2 1.0.6
- CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0
- CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response
- urllib.parse should sanitize urls containing ASCII newline and tabs.
- ipaddress leading zeros in IPv4 address
- ftplib should not use the host from the PASV response
- http.server: Open Redirection if the URL path starts with //
- CVE-2021-3733: ReDoS in urllib.request
- Information disclosure via pydoc getfile
- urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator
- ctypes: Buffer overflow in PyCArg_repr
- CJK codecs tests call eval() on content retrieved via HTTP
- [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface
- http.client: HTTP Header Injection in the HTTP method
- CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7
- Email header injection in Address objects
- Infinite loop in tarfile module while opening a crafted file
- Remove newline characters from uu encoding methods
- urllib basic auth regex denial of service
- Regular Expression Denial of Service in http.cookiejar
- CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()
- Reflected XSS in DocXMLRPCServer
- ssl.match_hostname() ignores extra string after whitespace in IPv4 address
- urlsplit does not handle NFKC normalization (second fix)
- urlsplit does not handle NFKC normalization
- urllib module local_file:// scheme
- TALOS-2018-0758 SSL CRL distribution points Denial of Service
- http.cookiejar: Incorrect validation of path
- xml package does not obey ignore_environment
- pickle.load denial of service
- _elementree C accelerator doesn’t call XML_SetHashSalt()
- email.utils.parseaddr mistakenly parse an email
- Email folding function Denial-of-Service
- Buffer overflow vulnerability in os.symlink on Windows
- difflib and poplib catastrophic backtracking
- Python 2.7 readahead is not thread safe
- Expat 2.2.3
- Environment variables injection in subprocess on Windows
- Expat 2.2.1
- PyString_DecodeEscape integer overflow
- bpo-30500: urllib connects to a wrong host
- HTTP Header Injection (follow-up of CVE-2016-5699)
- Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path
- urllib FTP protocol stream injection
- Expat 2.2 (Expat bug #537)
- Zlib 1.2.11
- gettext.c2py()
- Sweet32 attack (DES, 3DES)
- HTTPoxy attack
- smtplib TLS stripping
- Issue #26657: HTTP server directory traversal
- Issue #26556: Expat 2.1.1
- zipimporter overflow
- mailcap shell command injection
- HTTP header injection
- Validate TLS certificate
- buffer() integer overflows
- JSONDecoder.raw_decode
- os.makedirs() not thread-safe
- socket.recvfrom_into() overflow
- zipfile DoS using invalid file size
- CGI directory traversal (URL parsing)
- ssl: NULL in subjectAltNames
- ssl.match_hostname() IDNA issue
- ssl.match_hostname() wildcard DoS
- Limit imaplib.IMAP4_SSL.readline()
- ftplib unlimited read
- nntplib unlimited read
- poplib unlimited read
- smtplib unlimited read
- xmlrpc gzip unlimited read
- Hash function not randomized properly
- Vulnerability in the utf-16 decoder after error handling
- XML-RPC DoS
- ssl CBC IV attack
- Hash DoS
- pypirc created insecurely
- urllib redirect
- SimpleHTTPServer UTF-7
- audioop integer overflows
- audioop input validation
- httplib unlimited read
- smtpd accept bug and race condition
- Multiple integer overflows (Apple)
- Multiple integer overflows (Google)
- expandtab() integer overflow
- CGI directory traversal (is_cgi() function)
- rgbimg and imageop overflows
