Bug 2408891 (CVE-2025-6075)

Summary: CVE-2025-6075 python: Quadratic complexity in os.path.expandvars() with user-controlled template
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bbrownin, dfreiber, drow, gotiwari, jburrell, jgrulich, jhorak, jkoehler, lbalhar, ljawale, lphiri, luizcosta, mvyas, nweather, rbobbitt, sdawley, tpopela, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability in Python’s os.path.expandvars() function that can cause performance degradation. When processing specially crafted, user-controlled input with nested environment variable patterns, the function exhibits quadratic time complexity, potentially leading to excessive CPU usage and denial of service (DoS) conditions. No code execution or data exposure occurs, so the impact is limited to performance slowdown.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2413049, 2413052, 2413054, 2413055, 2413056, 2413060, 2413050, 2413051, 2413053, 2413057, 2413058, 2413059, 2413061    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-31 17:02:11 UTC 
If the value passed to os.path.expandvars() is user-controlled a 
performance degradation is possible when expanding environment 
variables.
Comment 2 Lumír Balhar 2025-11-25 13:34:19 UTC 
The vulnerability was already fixed in all active branches, but the fixes are waiting to be released (except 3.9 and 3.15): https://github.com/python/cpython/issues/136065
Comment 3 errata-xmlrpc 2025-12-18 01:16:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:23530 https://access.redhat.com/errata/RHSA-2025:23530
Comment 4 errata-xmlrpc 2025-12-18 12:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:23342 https://access.redhat.com/errata/RHSA-2025:23342