Unicodedata.normalize() in CPython can exhibit quadratic time complexity when normalizing specially crafted Unicode strings that contain long runs of combining characters with alternating Canonical Combining Class values. The function consumes an inordinate amount of CPU resources during these operations, which can lead to a denial‑of‑service condition for the executing process or the system as a whole, as reflected by its CVSS score of 6.3 and identified by CWE-407 and CWE-606. The vulnerability arises during normal string processing and would affect any code that invokes the normalize routine on untrusted input, whether directly or indirectly through higher‑level libraries that rely on it.

The issue is present in CPython, the reference implementation of Python, and affects all normalization forms. No specific version numbers are listed, meaning all current releases of CPython that expose the function are potentially impacted until the fix is incorporated.

The issue is rooted in CWE-407 (Resource Exhaustion) and CWE-606 (Unchecked Input for Parameter). The CVSS score indicates moderate severity, and the EPSS score is unavailable, suggesting that exploitation data is limited. The vulnerability is not listed in the CISA KEV catalog, so there is no documented active exploitation. The likely attack vector is supplying crafted Unicode data to an application that uses CPython's normalize function, possibly passing through network input, file loading, or user interface components. The exploit does not require privileged access and can be performed remotely if the target exposes such input vectors.