Python Ships Urgent Bugfix Releases: Version 3.14.2 and 3.13.11 Address Regressions and Security Vulnerabilities

<h2>Overview</h2> <p>Just three days after the previous round of updates, the Python team has released two new maintenance versions: <strong>Python 3.14.2</strong> and <strong>Python 3.13.11</strong>. These expedited releases target critical regressions discovered in the latest updates, along with several security fixes. Users are encouraged to upgrade promptly to maintain stability and security.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/1171984676/800/450" alt="Python Ships Urgent Bugfix Releases: Version 3.14.2 and 3.13.11 Address Regressions and Security Vulnerabilities" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure> <h2 id="python-3142">Python 3.14.2: Second Maintenance Release</h2> <p>This is the second maintenance update for the 3.14 series, containing <strong>18 bugfixes, build improvements</strong>, and documentation changes since <strong>Python 3.14.1</strong>. The release focuses on fixing regressions that could disrupt development workflows and runtime behavior.</p> <h3>Key Regressions Fixed</h3> <ul> <li><strong>gh-142206:</strong> Exceptions occurring in <code>multiprocessing</code> when running programs while upgrading Python, which could break parallel processing.</li> <li><strong>gh-142214:</strong> Exceptions in <code>dataclasses</code> when a class lacks an <code>__init__</code> method, leading to unexpected errors.</li> <li><strong>gh-142218:</strong> <em>Segmentation faults</em> and assertion failures in <code>insertdict</code>, a core dictionary operation that could crash the interpreter.</li> <li><strong>gh-140797:</strong> Crash when using multiple capturing groups in <code>re.Scanner</code>, affecting complex regular expressions.</li> </ul> <h3>Security Updates</h3> <ul> <li><strong>gh-142145 (CVE-2025-12084):</strong> Removed quadratic behavior in node ID cache clearing to prevent a potential denial-of-service attack.</li> <li><strong>gh-119452:</strong> Fixed a potential virtual memory allocation denial of service in <code>http.server</code> that could exhaust system resources.</li> </ul> <p>For a complete list of changes, refer to the <a href="https://www.python.org/downloads/release/python-3142/">full changelog for Python 3.14.2</a>.</p> <h2 id="python-31311">Python 3.13.11: Eleventh Maintenance Release</h2> <p>This update for the <strong>Python 3.13</strong> series addresses regressions similar to those in 3.14.2, ensuring compatibility and reliability across both active release lines.</p> <h3>Key Regressions Fixed</h3> <ul> <li><strong>gh-142206:</strong> Same multiprocessing exception issue as in 3.14.2.</li> <li><strong>gh-142218:</strong> Same segmentation fault in <code>insertdict</code>.</li> <li><strong>gh-140797:</strong> Same crash with multiple capturing groups in <code>re.Scanner</code>.</li> </ul> <h3>Security Updates</h3> <ul> <li><strong>gh-142145 (CVE-2025-12084):</strong> Identical quadratic behavior fix in node ID cache clearing.</li> <li><strong>gh-119451:</strong> Fixed a potential denial of service in <code>http.client</code> that could be triggered by malicious input.</li> <li><strong>gh-119452:</strong> Same virtual memory allocation fix in <code>http.server</code> as in 3.14.2.</li> </ul> <p>Detailed release notes are available on the <a href="https://www.python.org/downloads/release/python-31311/">Python 3.13.11 download page</a>.</p> <h2 id="common-security-fixes">Common Security Fixes</h2> <p>Both releases share the <strong>CVE-2025-12084</strong> fix, which eliminates a quadratic time complexity flaw in the node ID cache. This vulnerability could be exploited to cause excessive CPU usage and denial of service. Additionally, the <code>http.server</code> fix (gh-119452) prevents virtual memory exhaustion, while the 3.13 branch also benefits from an extra fix in <code>http.client</code> (gh-119451) that guards against input-based denial-of-service attacks.</p> <h2 id="acknowledgments">Acknowledgments</h2> <p>These releases would not be possible without the dedicated efforts of the Python development community. The release team—<em>Hugo van Kemenade, Thomas Wouters, Ned Deily, Steve Dower, and Łukasz Langa</em>—extends gratitude to all volunteers who contributed fixes, tests, and reviews. <strong>Consider supporting the Python Software Foundation</strong> through volunteering or corporate sponsorship to sustain this vital open-source project.</p> <h2 id="how-to-update">How to Update</h2> <p>To upgrade to the latest version, visit the official <a href="https://www.python.org/downloads/">Python downloads page</a> for Python 3.14.2 and Python 3.13.11, or use your package manager (e.g., <code>pip</code> for virtual environments). After upgrading, run your test suite to ensure compatibility with the newly patched modules.</p> <p>Stay tuned for further maintenance updates, and happy coding!</p>