Description
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Published: 2025-06-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Amplified Denial of Service
Action: Assess Impact
AI Analysis

Impact

The vulnerability resides in the html.parser.HTMLParser class, which exhibits worse‑case quadratic complexity when handling certain malformed inputs. Crafted data can cause the parser to consume excessive time and memory, leading to a denial‑of‑service condition. This weakness is classified as CWE-1333 and does not directly enable code execution or data exfiltration.

Affected Systems

The affected product is CPython from the Python Software Foundation. No specific version ranges are listed in the CNA data, so the impact potentially applies to all releases that have not incorporated the fixing commits referenced in the advisory.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium impact with limited exploitation scope. The EPSS score of less than 1% suggests a very low likelihood of current exploitation. The CVE is not listed in the CISA KEV catalog, further indicating a low urgency. Based on the description, the attack likely requires an attacker to supply crafted HTML input to a CPython process that performs parsing – a scenario that could arise in web services or content‑handling applications. No privilege escalation or remote code execution is enabled by this flaw.

Generated by OpenCVE AI on April 22, 2026 at 11:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a Python release that contains the HTMLParser fix
  • If an update cannot be applied immediately, validate or sanitize incoming HTML data before invoking HTMLParser
  • Throttle or rate‑limit requests that trigger HTML parsing to mitigate potential denial‑of‑service impact

Generated by OpenCVE AI on April 22, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4354-1 pypy3 security update
Debian DLA Debian DLA DLA-4445-1 python3.9 security update
Debian DLA Debian DLA DLA-4458-1 python-django security update
Debian DLA Debian DLA DLA-4484-1 python-django security update
EUVD EUVD EUVD-2025-18496 The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Ubuntu USN Ubuntu USN USN-7710-1 Python vulnerabilities
History

Mon, 07 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 18 Jun 2025 15:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 17 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 14:00:00 +0000

Type Values Removed Values Added
Description The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.
Title HTMLParser quadratic complexity when processing malformed inputs
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Python Cpython
cve-icon MITRE

Status: PUBLISHED

Assigner: PSF

Published:

Updated: 2026-04-21T20:17:13.876Z

Reserved: 2025-06-13T14:05:15.473Z

Link: CVE-2025-6069

cve-icon Vulnrichment

Updated: 2025-06-17T13:58:32.039Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T14:15:33.677

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6069

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-06-17T13:39:46Z

Links: CVE-2025-6069 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses