Improve GHSA-vc2m-m665-8xm2

kexinoh · kexinoh · commit b1a18308186d · 2025-11-06T00:44:29.000+08:00
diff --git a/advisories/unreviewed/2025/11/GHSA-vc2m-m665-8xm2/GHSA-vc2m-m665-8xm2.json b/advisories/unreviewed/2025/11/GHSA-vc2m-m665-8xm2/GHSA-vc2m-m665-8xm2.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vc2m-m665-8xm2",
+  "modified": "2025-10-31T18:31:26Z",
+  "published": "2025-10-31T18:31:15Z",
+  "aliases": [
+    "CVE-2025-6075"
+  ],
+  "summary": "Python: os.path.expandvars performance degradation with user-controlled input",
+  "details": "If the value passed to os.path.expandvars() is user-controlled a \nperformance degradation is possible when expanding environment \nvariables.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "python"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6075"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/issues/136065"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/2e6150adccaaf5bd95d4c19dfd04a36e0b325d8c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/631ba3407e3348ccd56ce5160c4fb2c5dc5f4d84"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/892747b4cf0f95ba8beb51c0d0658bfaa381ebca"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/9ab89c026aa9611c4b0b67c288b8303a480fe742"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/c8a5f3435c342964e0a432cc9fb448b7dbecd1ba"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/python/cpython/commit/f029e8db626ddc6e3a3beea4eff511a71aaceb5c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/IUP5QJ6D4KK6ULHOMPC7DPNKRYQTQNLA"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2025-10-31T17:15:48Z"
+  }
+}
