Patch your Pythons. Now.
These aren’t fluffy feature drops. No, the release managers—Thomas Wouters and crew—rolled out security bandaids for Python 3.12.12, 3.11.14, 3.10.19, and 3.9.24. Why? Because letting Hugo hog the 3.14.0 spotlight felt unfair, apparently. But seriously, folks: XML bombs, dodgy parsers, and CVE-stuffed setuptools demanded action.
Look, Python’s been around the block. Twenty-plus years of glory, sure. But vulnerabilities in libexpat? Tarfile offsets gone rogue? That’s not ancient history—it’s your next breach headline if you’re sloppy.
XML’s Nasty Surprises Fixed
First up: libexpat bumped to 2.7.3, squashing CVE-2025-59375. (Yeah, 2025—time travel CVEs, because why not?) Expat parsers now play nice with garbage collection; no more subparsers haunting parents like bad exes. Tarfile? Validates offsets—no negatives allowed. Zip64 gets extensible data love, minus the prepend bytes drama.
And html.parser? Oh boy. It’s like they finally cracked open the HTML5 spec after a decade of coffee naps.
Whitespaces no longer accepted between </ and the tag name. E.g. </ script> does not end the script section.
That’s straight from the changelog. Brutal, right? Vertical tabs and non-ASCII whitespace? Booted. Null chars in tags? Nope. End tags ignoring attributes and slashes? Fixed. Even CDATA sections behave—]]> won’t prematurely bail anymore.
Comments too: –!> closes properly now. Quadratic blowups in specially crafted junk? Nuked. Escapable raw text in textarea and title? Solid. Unclosed script tags in .close()? Data preserved.
One paragraph. Dense. You’re welcome.
But here’s my beef—and unique twist nobody’s saying: this mirrors the XML parsing woes from the early 2000s, when libxml2 exploits wrecked web servers. Python’s dragging that skeleton out for one last dance in 2024. Devs still parsing untrusted HTML with html.parser? You’re not building rockets; you’re begging for injection city. Historical parallel: Heartbleed taught us bundled deps rot fast. Python’s patching, but your upgrade laziness? That’s the real CVE.
Why Still Support Python 3.9 in 2024?
Python 3.10.19, 3.11.14, 3.12.12 all snag the setuptools 79.0.1 upgrade—bye, CVE-2025-47273 and CVE-2024-6345. But 3.9.24? Extra spice: SSL.SSLError on empty NPN protocols, fixing CVE-2024-5642.
It’s noble. Python’s LTS vibe for oldies keeps enterprises from rioting. But c’mon—3.9? That’s fossil fuel in a Tesla world. Companies hoard it like crypto bros hoard Bitcoin, citing “legacy code.” Translation: laziness. Prediction: by 2026, we’ll laugh at 3.9 stragglers getting pwned in the wild.
Short answer? Upgrade. All of ‘em. Release team begs: “Stay safe and upgrade!” They’re not wrong.
A sprawling thought: Imagine your app chugging tarfile from a shady download—negative offsets let attackers overflow buffers, rewrite files. Zip64 extensible data? Without checks, it’s ZIP slip city, planting malware. HTML parser quadratic? Billion laughs, DoS style. These aren’t hypotheticals; they’re Tuesday exploits on Exploit-DB.
Is html.parser Finally HTML5-Compliant?
Kinda. Ish.
They fixed start/end tags per spec—no whitespace tricks between </ and name. Multiple = in attrs? foo==bar becomes foo=”=bar”. Slashes and spaces before >? Ignored. CDATA in SVG/MathML? Toggleable now. Comments handle –!> right, support malformed empties like <!–>. EOF errors auto-close junk.
Dry humor alert: Python’s parser was like that drunk uncle at weddings—mumbling through toasts, ignoring rules. Now? Sober-ish. But if you’re neck-deep in BeautifulSoup or lxml, this matters zilch. Still, kudos for standards love.
Critique time. Corporate hype? Nah, Python’s volunteer-driven—no PR spin. But the “venerated versions” schtick? Cute. Reality: security theater if you don’t patch. Unique insight: these fixes expose how Python’s stdlib lags web realities—parsers from ’90s tech, bolted to 2024 threats. Bold call: CPython should fork a “secure-by-default” parser branch, force upgrades.
Volunteers rule. Thanks, Pablo, Łukasz, Ned, Steve. Donate or code—PSF needs it.
But devs? Stop whining about breakage. Test suites exist. Patch Tuesday is here.
The Real Risk: Your Unpatched Server
Tarfile non-negative offsets? Blocks directory traversal. Zip consistency? Stops fake central dirs. All prevent extraction bombs.
Setuptools CVEs? Dependency hell fixed. SSL NPN empty protos? MitM dodge.
Impact? High for web scrapers, archive handlers, XML lovers (few left). Low for pure math scripts. But everyone’s networked—assume compromise.
Humor break: “We couldn’t just let Hugo have fun with 3.14.0.” Pi day jealousy? Adorable. But CVEs don’t celebrate holidays.
Wrapping the sprawl: Python’s tireless team drops these quarterly. Ignore? Your funeral. My prediction—zero-day hunters already probing old parsers. Patch, test, deploy.
**
🧬 Related Insights
- Read more: Node.js Crashes on Sneaky Headers: Eight Fresh Security Fixes Dropped
- Read more: 95% of AI Projects Fail Because We’re Using the Wrong Playbook
Frequently Asked Questions**
What CVEs does Python 3.12.12 fix?
Libexpat CVE-2025-59375, setuptools CVE-2025-47273/CVE-2024-6345, plus parser hardening.
Should I upgrade Python 3.9 to 3.9.24?
Yes—SSL fix alone saves your ass from CVE-2024-5642. But jump to 3.12 while you’re at it.
Does this break my html.parser code?
Probably not—fixes align to HTML5. Test edge cases like funky whitespace.
