AWS CLI v2 support for Python 3.14

[shreyasprabhakar-boop]

Vulnerability in Python zipfile module (ZIP64 EOCD offset validation)

Description / Context

The Python zipfile module (versions ≤ 3.13.7) does not validate the ZIP64 End of Central Directory (EOCD) Locator offset correctly. Specifically:

• The module assumes the previous record is the ZIP64 EOCD record instead of checking the offset specified in the EOCD Locator.
• This can lead to ZIP archives being interpreted differently than other ZIP implementations.
• Potential risks include:
  • Unexpected behavior when extracting ZIP files
  • Possible file overwrites
  • Security issues in applications relying on zipfile for ZIP processing

Reference:

• Python changelog: updating from 3.13.7 → 3.14.1 fixes this by validating the EOCD offset.

Labels

security docker python dependency

Use Case

Impact on our project / Docker images

• Our Docker images currently install Python 3.x from Amazon Linux 2023 repositories.
• The zipfile module included in these images is vulnerable if the Python version is ≤3.13.7.
• If Python is required in the image, it must be upgraded to ≥3.14.1.
• If Python is not required, it’s safer to remove it entirely, reducing attack surface.

Proposed Solution

Recommended Actions

1. Upgrade Python to version ≥3.14.1 in Docker images.
2. Rebuild Docker images using the latest OS base image.
3. If Python is not required, remove it from the image entirely.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CLI version used

2.31.13

Environment details (OS name and version, etc.)

Ubuntu

[RyanFitzSimmonsAK]

Thanks for reaching out. Our team is taking a look at this, and I'll let you know when we have any updates.

Ticket # for internal use : D322688316