CVE-2025-6069Regex Denial of Service in Software Foundation Cpython

CWE-1333Regex Denial of Service10 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
0.9%
top 24.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedJun 17
Latest updateAug 29

Description

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.10.03.10.19+5

🔴Vulnerability Details

5
OSV
python2.7 vulnerability2025-08-29
OSV
python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4 vulnerabilities2025-08-21
CVEList
HTMLParser quadratic complexity when processing malformed inputs2025-06-17
OSV
CVE-2025-6069: The html2025-06-17
GHSA
GHSA-j5cc-6rx8-ff96: The html2025-06-17

📋Vendor Advisories

4
Ubuntu
Python vulnerabilities2025-08-21
Red Hat
cpython: Python HTMLParser quadratic complexity2025-06-17
Microsoft
HTMLParser quadratic complexity when processing malformed inputs2025-06-10
Debian
CVE-2025-6069: jython - The html.parser.HTMLParser class had worse-case quadratic complexity when proces...2025
CVE-2025-6069 — Regex Denial of Service | cvebase