4.3

CVE-2025-6069

HTMLParser quadratic complexity when processing malformed inputs

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
Produkt CPython
Default Statusunaffected
Version 0
Version < 3.10.19
Status affected
Version 3.11.0
Version < 3.11.14
Status affected
Version 3.12.0
Version < 3.12.12
Status affected
Version 3.13.0
Version < 3.13.6
Status affected
Version 3.14.0a1
Version < 3.14.0b3
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.47% 0.376
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@python.org 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

https://github.com/python/cpython/issues/135462
https://github.com/python/cpython/pull/135464
https://github.com/python/cpython/commit/4455cbabf991e202185a25a631af206f60bbc949
https://github.com/python/cpython/commit/6eb6c5dbfb528bd07d77b60fd71fd05d81d45c41
https://github.com/python/cpython/commit/d851f8e258c7328814943e923a7df81bca15df4b
https://mail.python.org/archives/list/security-announce@python.org/thread/K5PIYLR6EP3WR7ZOKKYQUWEDNQVUXOYM/
https://github.com/python/cpython/commit/8d1b3dfa09135affbbf27fb8babcf3c11415df49
https://github.com/python/cpython/commit/ab0893fd5c579d9cea30841680e6d35fc478afb5
https://github.com/python/cpython/commit/f3c6f882cddc8dc30320d2e73edf019e201394fc
https://github.com/python/cpython/commit/fdc9d214c01cb4588f540cfa03726bbf2a33fc15