Hi, The following vulnerability was published for pypy3. CVE-2025-12781[0]: | When passing data to the b64decode(), standard_b64decode(), and | urlsafe_b64decode() functions in the "base64" module the characters | "+/" will always be accepted, regardless of the value of "altchars" | parameter, typically used to establish an "alternative base64 | alphabet" such as the URL safe alphabet. This behavior matches what | is recommended in earlier base64 RFCs, but newer RFCs now recommend | either dropping characters outside the specified base64 alphabet or | raising an error. The old behavior has the possibility of causing | data integrity issues. This behavior can only be insecure if | your application uses an alternate base64 alphabet (without "+/"). | If your application does not use the "altchars" parameter or the | urlsafe_b64decode() function, then your application does not use an | alternative base64 alphabet. The attached patches DOES NOT make | the base64-decode behavior raise an error, as this would be a change | in behavior and break existing programs. Instead, the patch | deprecates the behavior which will be replaced with the newly | recommended behavior in a future version of Python. Users are | recommended to mitigate by verifying user-controlled inputs match | the base64 alphabet they are expecting or verify that their | application would not be affected if the b64decode() functions | accepted "+" or "/" outside of altchars. https://github.com/python/cpython/issues/125346 https://github.com/python/cpython/pull/141128 https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-12781 https://www.cve.org/CVERecord?id=CVE-2025-12781 Please adjust the affected versions in the BTS as needed.