CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3220 – Default mimetype known files writeable on Windows
https://notcve.org/view.php?id=CVE-2024-3220
14 Feb 2025 — There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”). To wor... • https://mail.python.org/archives/list/security-announce@python.org/thread/CDXW34ND2LSAOYAR5N6UNONP4ZBX4D6R • CWE-426: Untrusted Search Path •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-0938 – URL parser allowed square brackets in domain names
https://notcve.org/view.php?id=CVE-2025-0938
31 Jan 2025 — The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. • https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-12254 – Unbounded memory buffering in SelectorSocketTransport.writelines()
https://notcve.org/view.php?id=CVE-2024-12254
06 Dec 2024 — Starting in Python 3.12.0, the asyncio._SelectorSocketTransport.writelines() method would not "pause" writing and signal to the Protocol to drain the buffer to the wire once the write buffer reached the "high-water mark". Because of this, Protocols would not periodically drain the write buffer potentially leading to memory exhaustion. This vulnerability likely impacts a small number of users, you must be using Python 3.12.0 or later, on macOS or Linux, using the asyncio module with protocols, and using .wri... • https://github.com/python/cpython/commit/71e8429ac8e2adc10084ab5ec29a62f4b6671a82 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-9287 – Virtual environment (venv) activation scripts don't quote paths
https://notcve.org/view.php?id=CVE-2024-9287
22 Oct 2024 — A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./ven... • https://github.com/python/cpython/issues/124651 • CWE-428: Unquoted Search Path or Element •