Python Rushes Out Emergency Updates to Fix Regressions and Security Holes

Python Rushes Out Emergency Updates to Fix Regressions and Security Holes

The Python Software Foundation has released two expedited versions—Python 3.14.2 and Python 3.13.11—just three days after the previous updates. These emergency patches target critical regressions and security vulnerabilities that could crash programs or expose systems to denial-of-service attacks.

According to the Python release team, the decision to fast-track these releases was driven by the severity of the issues. "We found some regressions that required immediate attention, so here's an expedited pair of releases," the team stated, also noting that the updates include bonus security fixes.

Expedited Releases Address Regressions

Python 3.14.2 is the second maintenance release of the 3.14 series, packing 18 bug fixes, build improvements, and documentation changes since version 3.14.1. The release focuses on correcting regressions that affected core functionalities:

• gh-142206: Exceptions in multiprocessing when upgrading Python while programs are running.
• gh-142214: Exceptions in dataclasses when no __init__ method is defined.
• gh-142218: Segmentation faults and assertion failures in insertdict.
• gh-140797: Crash when using multiple capturing groups in re.Scanner.

Python 3.13.11, the eleventh maintenance release of the 3.13 branch, shares the same regression fixes for multiprocessing, insertdict, and re.Scanner. Both versions also address the security vulnerabilities described below.

Security Fixes Included

The updates patch two security vulnerabilities, including one with a published CVE identifier:

• gh-142145 (CVE-2025-12084): Removes quadratic behavior in node ID cache clearing to prevent a potential denial-of-service condition.
• gh-119452: Fixes a potential virtual memory allocation denial of service in http.server.

In addition, Python 3.13.11 includes gh-119451 which addresses a potential denial-of-service vulnerability in http.client.

Background

Python releases maintenance updates regularly, but the rapid issuance of these versions highlights the urgency of the regressions and security issues. The multiprocessing regression could interrupt running processes during version upgrades, while the dataclasses and insertdict bugs risk application crashes. The security flaws, particularly the quadratic cache-clearing behavior, could be exploited to slow or halt systems. These are expedited releases intended to minimize risk for the large Python user base.

What This Means

Users of Python 3.14.0 and 3.14.1, as well as 3.13.10 and earlier 3.13.x versions, should update to the latest releases immediately to avoid instability and potential security breaches. The fixes ensure that multiprocessing, dataclasses, and regular expressions work reliably, and that HTTP servers are protected from denial-of-service attacks. The Python release team urges all developers and system administrators to prioritize these updates. "Enjoy the new release," the team added, thanking the volunteers who contributed to the fixes.

Full changelogs for Python 3.14.2 and Python 3.13.11 are available on the official website.