Denial-of-Service Vulnerability in HTML Parser of Python Software Foundation
CVE-2025-6069

4.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
17 June 2025

What is CVE-2025-6069?

The HTML parser component of the Python Software Foundation is vulnerable to a denial-of-service attack due to its inefficient handling of certain malformed inputs. When processing these inputs, the parser can experience a worst-case quadratic complexity, leading to significant delays and potential service disruption. This vulnerability can be exploited by an attacker who creates specially crafted input, which causes the parser to consume an excessive amount of CPU resources. Users are encouraged to implement the recommended patches and monitor their systems to mitigate potential threats.

Affected Version(s)

CPython 0 < 3.14.0

References

https://github.com/python/cpython/issues/135462
issue-tracking
https://github.com/python/cpython/pull/135464
patch
https://github.com/python/cpython/commit/4455cbabf991e202...
patch

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Serhiy Storchaka
Jake Howard
sw0rd1ight
.
CVE-2025-6069 : Denial-of-Service Vulnerability in HTML Parser of Python Software Foundation