Release Date: June 3, 2025

This is a security release of Python 3.9

Note: The release you're looking at is Python 3.9.23, a security bugfix release for the legacy 3.9 series. Python 3.13 is now the latest feature release series of Python 3. Get the latest release of 3.13.x here.

Security content in this release

• gh-135034: [CVE 2024-12718] [CVE 2025-4138] [CVE 2025-4330] [CVE 2025-4435] [CVE 2025-4517] Fixes multiple issues that allowed tarfile extraction filters (filter="data" and filter="tar") to be bypassed using crafted symlinks and hard links.
• gh-133767: Fix use-after-free in the “unicode-escape” decoder with a non-“strict” error handler.
• gh-128840: Short-circuit the processing of long IPv6 addresses early in ipaddress to prevent excessive memory consumption and a minor denial-of-service.
• gh-80222: Folding of quoted string in display_name violates RFC.

No installers

According to the release calendar specified in PEP 596, Python 3.9 is now in the "security fixes only" stage of its life cycle: the 3.9 branch only accepts security fixes and releases of those are made irregularly in source-only form until October 2025. Python 3.9 isn't receiving regular bug fixes anymore, and binary installers are no longer provided for it. Python 3.9.13 was the last full bugfix release of Python 3.9 with binary installers.

Full Changelog