Potential Quadratic Complexity Vulnerabilities in `path` Modules

[kexinoh]

Bug Description:
A series of simple quadratic complexity vulnerabilities has been identified. After confirmation by CPython's security team, since these DOS vulnerabilities pose a low threat and are relatively tedious to exploit, we can directly initiate requests in issues to seek assistance from the community for fixes.

Vulnerability Locations (All Fixed):

1. cpython/Lib/posixpath.py

   Line 290 in f49a07b

   def expandvars(path):

2. cpython/Lib/ntpath.py

   Line 403 in cb8a72b

   def expandvars(path):

   
   Repair Status:

• Vulnerabilities have been fixed in gh-136065: Fix quadratic complexity in os.path.expandvars() #134952 by @serhiy-storchaka and @Wulian233.

Common Information:

• CPython Version: main branch
• Operating System: Linux
• Credits: Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.

Linked PRs

• gh-136065: Fix quadratic complexity in os.path.expandvars() #134952
• [3.9] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) #140839
• [3.14] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) #140844
• [3.13] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) #140845
• [3.12] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) #140847
• [3.11] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) #140848
• [3.10] gh-136065: Fix quadratic complexity in os.path.expandvars() (GH-134952) #140851

[serhiy-storchaka]

checkextensions is different issue. Even if there is some similarity, there are many important differences (for example, the code contains other bug and is even prone to infinite loop).

[kexinoh]

yes,i know it. But it seems that it is not part of path,  belongs to part of the tool. This means that input does not come from the user.

…

---Original--- From: "Serhiy ***@***.***> Date: Sat, Jun 28, 2025 18:20 PM To: ***@***.***>; Cc: ***@***.******@***.***>; Subject: Re: [python/cpython] Potential Quadratic Complexity Vulnerabilitiesin `path` Modules (Issue #136065) serhiy-storchaka left a comment (python/cpython#136065) checkextensions is different issue. Even if there is some similarity, there are many important differences (for example, the code contains other bug and is even prone to infinite loop). — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>