CVE-2025-6075 — Uncontrolled Resource Consumption in Software Foundation Cpython

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling12 documents9 sources

Severity

1.8LOWNVD

EPSS

0.0%

top 91.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython Python

Timeline

PublishedOct 31

Latest updateNov 26

Description

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDpython/python3.13.1 — 3.13.11+3

▶CVEListV5python_software_foundation/cpython3.11.0 — 3.11.15+5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

python3.13 vulnerabilities↗2025-11-26

▶

OSV

python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4 vulnerabilities↗2025-11-24

▶

OSV

CVE-2025-6075: If the value passed to os↗2025-10-31

▶

GHSA

GHSA-vc2m-m665-8xm2: If the value passed to os↗2025-10-31

▶

CVEList

Quadratic complexity in os.path.expandvars() with user-controlled template↗2025-10-31

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2025-11-26

▶

Ubuntu

Python vulnerabilities↗2025-11-24

▶

Red Hat

python: Quadratic complexity in os.path.expandvars() with user-controlled template↗2025-10-31

▶

Microsoft

Quadratic complexity in os.path.expandvars() with user-controlled template↗2025-10-14

▶

Debian

CVE-2025-6075: pypy3 - If the value passed to os.path.expandvars() is user-controlled a performance de...↗2025

▶

💬Community

Bugzilla

CVE-2025-6075 python: Quadratic complexity in os.path.expandvars() with user-controlled template↗2025-10-31

▶