Python Issues Emergency Releases 3.14.2 and 3.13.11 to Fix Critical Regressions and Security Vulnerabilities
Python Releases Expedited Patches for Critical Regressions
Just three days after the last update, the Python team has rolled out emergency releases 3.14.2 and 3.13.11, addressing severe regressions and security flaws. The updates are recommended for all users, especially those running multiprocessing or HTTP servers.
According to the release team, "We discovered these regressions and security issues soon after the previous releases. An expedited fix was necessary to maintain stability and security." — Hugo van Kemenade, Python release manager.
Key Regressions Fixed
The expedited releases target four major regressions that could cause crashes or unexpected behavior:
- Exceptions in multiprocessing when upgrading Python (gh-142206)
- Exceptions in dataclasses without
__init__method (gh-142214) - Segmentation faults and assertion failures in insertdict (gh-142218)
- Crash when using multiple capturing groups in re.Scanner (gh-140797)
Security Fixes Included
Both releases also patch several security vulnerabilities, including a critical node ID cache clearing flaw (CVE-2025-12084) and denial of service risks in http.server and http.client.
- Remove quadratic behavior in node ID cache clearing (gh-142145, CVE-2025-12084)
- Fix potential virtual memory allocation denial of service in http.server (gh-119452)
- Fix potential denial of service in http.client (gh-119451 — 3.13.11 only)
Background
Python 3.14.2 is the second maintenance release of the 3.14 series, containing 18 bugfixes, build improvements, and documentation changes since 3.14.1. Python 3.13.11 is the eleventh maintenance release of the 3.13 branch.
The team emphasized that these are expedited releases driven by the discovery of regressions shortly after the previous updates. The swift turnaround underscores the importance of maintaining stability in the core language.
What This Means
Python users, particularly those relying on multiprocessing and HTTP services, should upgrade immediately to avoid crashes and potential security exploits. The fixes for CVE-2025-12084 address a quadratic performance issue that could be triggered remotely.
For organizations managing Python deployments, this release signals the need for rapid patch cycles. The community is urged to test their applications against the new versions and update their environments as soon as possible.
Download links:
The Python Software Foundation thanks all volunteers and contributors. For full changelogs, see the official release pages.
Related Articles
- UNC6692's Social Engineering and Malware Campaign: A Q&A Breakdown
- Critical Kernel Vulnerabilities: New Stable Releases Address Long-Standing Security Flaw
- Defending Against Geofenced PDF Phishing and Cobalt Strike: A Guide to Ghostwriter Tactics
- Credential Theft Explodes as Financial Cybercrime Evolves: 2025 Review and 2026 Warning
- AI Secrets Surge 140% as Shadow AI Opens New Front in Cyber Risk
- Scattered Spider’s ‘Tylerb’ Admits Role in Massive Cyber Fraud, Faces Decades in Prison
- Inside the Guilty Plea of 'Tylerb': Scattered Spider's Senior Member Admits Role in Major Crypto Thefts
- Iran-Linked Hacktivists Claim Destructive Cyberattack on Medical Giant Stryker