Bénédikt Tran

**Name of the Vulnerable Software and Affected Versions** Python (affected versions not specified) **Description** The `unicodedata.normalize()` function can consume excessive CPU time when processing specially crafted Unicode input. This occurs when the input contains long sequences of combining characters with alternating Canonical Combining Class values, affecting all normalization forms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CPython (affected versions not specified) **Description** The `ftpcp()` function in Lib/ftplib.py fails to use the actual peer address, instead trusting the host address supplied by the server during a PASV command. This occurs because `ftpcp()` calls `parse227()` directly and passes the raw, attacker-controllable IP address and port to `target.sendport()`, leading to a Server-Side Request Forgery (SSRF), where a server is tricked into making unintended requests to internal or external resources. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Expat (affected versions not specified) **Description** The Expat parser, when used with a registered ElementDeclHandler, is susceptible to a C stack overflow when processing an inline document type definition with a deeply nested content model. This occurs during the parsing of XML documents containing complex and deeply nested DTD content models. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.