CVE-2025-6075

Low CVSS: 1.8

If the value passed to os.path.expandvars() is user-controlled a
performance degradation is possible when expanding environment
variables.

Vendor

Product

CWE

Yayın Tarihi

2025-10-31 17:15:48

Güncelleme

2026-02-04 19:05:15

Source Identifier

cna@python.org

KEV Date Added

CWE-400 Python LOW Python 2025

https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c https://github.com/python/cpython/commit/5dceb93486176e6b4a6d9754491005113eb23427 https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84 https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742 https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c https://github.com/python/cpython/issues/136065 https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA/

Medium

CVE-2026-25645

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a…

High

CVE-2026-32274

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is comp…

High

CVE-2026-31900

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action suppo…

High

CVE-2026-25990

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a…

Medium

CVE-2025-12781

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the…

High

CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HT…