Python 3.12 Runtime Vulnerability CVE-2025-13836 Fails Builds, Forces Upgrade to 3.14 or 3.13

A critical vulnerability in the Python 3.12 runtime is actively blocking software builds, forcing development teams into a complex upgrade path. Vulnerability scans are failing builds due to CVE-2025-13836, a HIGH-severity flaw with a CVSS score of 6.3. The issue is not in external packages but within the core CPython runtime itself, with 12 identified CVEs in total. This creates an immediate operational pressure, as the build process cannot proceed until the underlying runtime is patched.

The remediation strategy is a two-step process, prioritizing the most secure but potentially disruptive option first. The primary directive is to upgrade the base container image to Python 3.14.4, which resolves all identified vulnerabilities, including two MEDIUM-severity CVEs (CVE-2025-15366, CVE-2025-15367) that are only fixed in versions 3.14.1 and later. However, recognizing potential downstream compatibility risks, the plan includes a critical fallback. If key dependencies like PyTorch do not yet support Python 3.14, teams must revert to Python 3.13.13. This secondary option resolves the blocking HIGH vulnerability and three of the five MEDIUMs, but leaves two vulnerabilities unpatched.

This situation highlights the tangible security debt and operational friction created by lagging dependency support in complex software ecosystems. The requirement to run a full test suite after any upgrade underscores the risk of breaking changes, forcing teams to balance security mandates against system stability. The presence of vulnerabilities marked as 'Days Past Due' indicates these are not theoretical threats but known, unaddressed risks that have persisted in the environment, elevating the urgency for resolution.