AWS CLI v2 latest version has CVE-2025-4138/4330/4435

[ssz1997]

Describe the bug

aws-cli v2.27.36 has CVE-2025-4138/4330/4435 from security scan whose severities are HIGH

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Expecting no fixable CVE present from aws cli.

Current Behavior

Fixable CVE with severity HIGH presents in latest version of aws-cli

Reproduction Steps

Security scan on an image in which aws cli is installed as follow:

RUN curl -fsSL https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && unzip -q awscliv2.zip && /aws/install && rm -fr /aws*

Python library path /usr/local/aws-cli/v2/2.27.36/dist/libpython3.13.so.1.0 was reported having CVEs

Possible Solution

Upgrading python package to 3.13.4 in which the CVEs are fixed
https://www.python.org/downloads/release/python-3134/

Additional Information/Context

No response

CLI version used

2.27.36

Environment details (OS name and version, etc.)

ubi9-minimal:9.6

[ashovlin]

We just merged #9542 today to upgrade the bundled Python to 3.13.4. We'll comment again when the release is out with the new version number.

[ssz1997]

@ashovlin Thanks for the quick reply. Is there an ETA for the release?

[ashovlin]

We release most week days with the AWS service updates that are ready each day.

The Python upgrade should be in the next release which is still later today, but could be delayed if any issues arise during the internal build.

[AndrewAsseily]

Hi @ssz1997, thanks for bringing this up. The upgraded Python interpreter to 3.13.4 is now available in our latest release (2.27.37) of aws-cli. Closing this issue now.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.