Python releases four new security updates: 3.12.12, 3.11.14, 3.10.19, and 3.9.24, addressing vulnerabilities in XML parsing and improving handling of archive and ZIP files. The HTML parsing capabilities have been significantly enhanced to align with the HTML5 standard, resolving various issues related to tag name recognition, attribute handling, CDATA section parsing, and comment termination. Better support for non-ASCII whitespaces, disregard for unnecessary characters, and more accurate parsing of attributes, tags, and comments are among these improvements. Additionally, the updates now automatically close comments and declarations when encountering end-of-file errors in html.parser.HTMLParser.

Python 3.12.12, 3.11.14, 3.10.19, and 3.9.24 released

There are now four new security updates for popular Python versions: 3.12.12, 3.11.14, 3.10.19, and 3.9.24.



XML-related vulnerabilities are one of the main things they are looking at. For instance, a recent update to libexpat fixed CVE-2025-59375. Also, xml.parsers.expat now makes sure that parent parsers are only garbage collected when subparsers made with ExternalEntityParserCreate() no longer use them.

These updates have also made improvements to how archive and ZIP files are handled. For example, tarfile now checks archives to ensure member offsets are valid. In addition, the zip64 end of central directory records are checked for consistency, and support has been added for "zip64 extensible data" that doesn't have any extra bytes at the beginning.

HTML parsing is another area that has gotten considerably better. The Python standard library has gotten several updates based on the HTML5 standard. This includes a fix for the html.parser.HTMLParser parses start and end tags so that spaces between < and the tag name are no longer valid syntax. The null character (U+0000) can no longer prematurely terminate tag names.

Other notable changes in HTML parsing include:

• Vertical tabulation (\v) and non-ASCII whitespaces are now recognized as non-whitespace characters.
• Attributes and slashes after the tag name in end tags are ignored instead of terminating the tag after the first > in quoted attribute values.
• Multiple slashes and whitespaces between the last attribute and closing > are now ignored for both start and end tags.
• Multiple = between attribute name and value are no longer collapsed, which means that attributes with multiple equal signs are correctly parsed.

CDATA section parsing has also been updated to follow the HTML5 standard. Specifically:

• ]]> and ]] > can no longer prematurely terminate CDATA sections.
• A private method _set_support_cdata() is available for customizing how <[CDATA[ tags are parsed, whether as a CDATA section or a bogus comment.

Comment parsing has also been improved to follow the HTML5 standard. Specifically:

• --!> now ends comments correctly according to the specs.
• -- > can no longer terminate comments prematurely.
• Support has been added for abnormally ended empty comments such as <--> and <--->.

Also, how to deal with end-of-file errors in html.parser.HTMLParser has gotten better because it now automatically closes comments and declarations. This lowers the chance of problems with quadratic complexity when working with input data that has been specially made.