Python 3.12.12, 3.11.14, 3.10.19, 3.9.24: Key Security Updates Explained

Python's latest point releases – 3.12.12, 3.11.14, 3.10.19, and 3.9.24 – are now available, focusing exclusively on security improvements. While the spotlight often shines on major version upgrades like 3.14.0, these maintenance releases bring critical patches that keep older, widely-used Python versions safe. This Q&A covers the most important fixes, including updates to XML handling, archive validation, HTML parsing, and more. Whether you're a developer maintaining legacy systems or running production code, understanding these changes helps you protect your applications against known vulnerabilities.

What XML-related security fixes are included in these releases?

Two important XML fixes address potential security issues. First, the bundled libexpat library was upgraded to version 2.7.3, resolving CVE-2025-59375. This vulnerability could allow attackers to exploit XML parsing in unexpected ways. Second, a garbage collection issue in xml.parsers.expat was fixed (gh-139400): parent Expat parsers are now only garbage-collected after all subparsers created via ExternalEntityParserCreate() have been released. Previously, premature garbage collection could lead to use-after-free conditions when handling nested XML entities.

What archive-related fixes were applied?

Two crucial fixes target archive file handling. In the tarfile module (gh-130577), member offsets are now validated to ensure they are non-negative, preventing extraction of maliciously crafted tar archives that could write data to arbitrary locations. For ZIP files (gh-139700), consistency checks were added for the zip64 end-of-central-directory record. Additionally, support was introduced for records containing “zip64 extensible data” when no bytes are prepended to the ZIP file, ensuring that valid archives created by some tools are correctly processed without security errors.

What HTML parsing changes were made to html.parser?

Multiple fixes bring html.parser.HTMLParser closer to the HTML5 standard, closing several security gaps. Key changes include: whitespace between </ and the tag name is no longer accepted – for example, </ script> now does not end a script section. Vertical tabulation (\v) and non-ASCII whitespace characters are no longer recognized as whitespace; only the standard set (\t, \n, \r, \f, and space) are allowed. The null character (U+0000) no longer terminates tag names. End tags now ignore extraneous attributes and slashes after the tag name, resolving issues like </script/foo=">"/>.

How were start and end tag parsing improved?

Several edge cases in tag parsing were standardized. Multiple slashes and whitespace between the last attribute and the closing > are now ignored in both start and end tags (e.g., <a foo=bar/ //>). Multiple = between attribute name and value are no longer collapsed – for example, <a foo==bar> now produces an attribute foo with the value =bar. These changes prevent HTML injection attacks that relied on non-standard parser behavior. Additionally, end-of-file errors are now handled per HTML5 specs: comments and declarations are automatically closed, and incomplete tags are ignored.

What changed in CDATA and comment parsing?

CDATA section parsing was fixed to match the HTML5 specification (gh-135661). Sequences like ]]> and ]]> no longer incorrectly end a CDATA section – only the exact ]]> sequence works. A new private method _set_support_cdata() allows developers to control how <![CDATA[ is interpreted: as a CDATA section within foreign content (SVG or MathML) or as a bogus comment in the HTML namespace. Comment parsing also saw updates (gh-102555): --!> now closes a comment, while --> does not. Support was added for abnormally ended empty comments like <--> and <--->.

What additional security fix is specific to Python 3.11.14?

Python 3.11.14 includes an extra security update not present in the other versions. The bundled copy of setuptools was updated to version 79.0.1, fixing CVE-2025-47273 and CVE-2024-6345. Both CVEs involve potential code execution vulnerabilities through malicious package setups or crafted setup.py files. By upgrading setuptools, Python 3.11.14 ensures that projects using setup.py or setuptools-based builds are protected against these known threats.

Where can I download these Python releases?

All four releases are available for download from the official Python website. You can find Python 3.12.12 at python.org/downloads/release/python-31212/. The other versions (3.11.14, 3.10.19, 3.9.24) are listed under the main downloads page at python.org/downloads/. It is strongly recommended to upgrade as soon as possible, especially if your applications use the affected modules (xml.parsers.expat, tarfile, zipfile, and html.parser). Remember to test your code after upgrading to ensure compatibility.