Overview
Just three days after the previous round of updates, the Python team has released two new maintenance versions: Python 3.14.2 and Python 3.13.11. These expedited releases target critical regressions discovered in the latest updates, along with several security fixes. Users are encouraged to upgrade promptly to maintain stability and security.
Python 3.14.2: Second Maintenance Release
This is the second maintenance update for the 3.14 series, containing 18 bugfixes, build improvements, and documentation changes since Python 3.14.1. The release focuses on fixing regressions that could disrupt development workflows and runtime behavior.
Key Regressions Fixed
- gh-142206: Exceptions occurring in
multiprocessingwhen running programs while upgrading Python, which could break parallel processing. - gh-142214: Exceptions in
dataclasseswhen a class lacks an__init__method, leading to unexpected errors. - gh-142218: Segmentation faults and assertion failures in
insertdict, a core dictionary operation that could crash the interpreter. - gh-140797: Crash when using multiple capturing groups in
re.Scanner, affecting complex regular expressions.
Security Updates
- gh-142145 (CVE-2025-12084): Removed quadratic behavior in node ID cache clearing to prevent a potential denial-of-service attack.
- gh-119452: Fixed a potential virtual memory allocation denial of service in
http.serverthat could exhaust system resources.
For a complete list of changes, refer to the full changelog for Python 3.14.2.
Python 3.13.11: Eleventh Maintenance Release
This update for the Python 3.13 series addresses regressions similar to those in 3.14.2, ensuring compatibility and reliability across both active release lines.
Key Regressions Fixed
- gh-142206: Same multiprocessing exception issue as in 3.14.2.
- gh-142218: Same segmentation fault in
insertdict. - gh-140797: Same crash with multiple capturing groups in
re.Scanner.
Security Updates
- gh-142145 (CVE-2025-12084): Identical quadratic behavior fix in node ID cache clearing.
- gh-119451: Fixed a potential denial of service in
http.clientthat could be triggered by malicious input. - gh-119452: Same virtual memory allocation fix in
http.serveras in 3.14.2.
Detailed release notes are available on the Python 3.13.11 download page.
Common Security Fixes
Both releases share the CVE-2025-12084 fix, which eliminates a quadratic time complexity flaw in the node ID cache. This vulnerability could be exploited to cause excessive CPU usage and denial of service. Additionally, the http.server fix (gh-119452) prevents virtual memory exhaustion, while the 3.13 branch also benefits from an extra fix in http.client (gh-119451) that guards against input-based denial-of-service attacks.
Acknowledgments
These releases would not be possible without the dedicated efforts of the Python development community. The release team—Hugo van Kemenade, Thomas Wouters, Ned Deily, Steve Dower, and Łukasz Langa—extends gratitude to all volunteers who contributed fixes, tests, and reviews. Consider supporting the Python Software Foundation through volunteering or corporate sponsorship to sustain this vital open-source project.
How to Update
To upgrade to the latest version, visit the official Python downloads page for Python 3.14.2 and Python 3.13.11, or use your package manager (e.g., pip for virtual environments). After upgrading, run your test suite to ensure compatibility with the newly patched modules.
Stay tuned for further maintenance updates, and happy coding!