Notice: This page displays a fallback because interactive scripts did not run. Possible causes include disabled JavaScript or failure to load scripts or stylesheets.

Menu

Python 3.12.13

Release date: March 3, 2026

This is a security release of Python 3.12

Note: The release you're looking at is Python 3.12.13, a security bugfix release for the legacy 3.12 series. Python 3.14 is now the latest feature release series of Python 3. Get the latest release of 3.14.x here.

Security content in this release

Email and header-related

  • gh-144125: email.generator.BytesGenerator now refuses to serialize headers that are unsafely folded or delimited (see email.policy.Policy.verify_generated_headers); addressing CVE-2024-6923.
  • gh-143935: Fixed comment folding in modern email policies to prevent header injection when very long non-foldable comment text is wrapped.
  • gh-136063: email.message now ensures linear complexity for legacy HTTP parameter parsing.

HTTP, cookies, and URL parsing-related

  • gh-143916: wsgiref.headers.Headers now rejects C0 control characters in fields, values, and parameters.
  • gh-143919: http.cookies.Morsel now rejects control characters in fields and values.
  • gh-143925: data: URL media types now reject control characters.

XML-related

  • gh-144363: Upgraded bundled libexpat to 2.7.4 to fix CVE-2026-24515 and CVE-2026-25210.
  • gh-90949: Added Expat allocation-tracker APIs to xml.parsers.expat parser objects to limit memory amplification from malicious XML input; includes mitigation for CVE-2025-59375.
  • gh-142145: Removed quadratic behavior in xml.dom.minidom node ID cache clearing.

Denial-of-service hardening

  • gh-119342: Fixed a potential memory denial of service in plistlib.
  • gh-119451: Fixed a potential memory denial of service in http.client.
  • gh-119452: Fixed a potential memory denial of service in http.server (CGI server on Windows).
  • gh-136065: Fixed quadratic complexity in os.path.expandvars().

HTML parsing-related

  • gh-137836: Hardened html.parser.HTMLParser with support for additional RAWTEXT/PLAINTEXT elements (plaintext, xmp, iframe, noembed, noframes, optional noscript), improving robust handling of hostile markup.

SSL memory-safety fixes

  • gh-144833: Fixed a use-after-free in ssl when SSL_new() fails.

No installers

According to the release calendar specified in PEP 693, Python 3.12 is now in the "security fixes only" stage of its life cycle: the 3.12 branch only accepts security fixes, and releases of those are made irregularly in source-only form until October 2028. Python 3.12 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.12.10 was the last full bugfix release of Python 3.12 with binary installers.

Full Changelog

Files

Source release

Download XZ compressed source tarball

Version Operating system Description File size Sigstore SBOM GPG SHA-256 checksum
Gzipped source tarball Source release 26.0 MB .sigstore SPDX SIG 0816c4761c97ecdb3f50a3924de0a93fd78cb63ee8e6c04201ddfaedca500b0b
XZ compressed source tarball Source release 19.8 MB .sigstore SPDX SIG c08bc65a81971c1dd5783182826503369466c7e67374d1646519adf05207b684