Bug Description:
A series of simple quadratic complexity vulnerabilities has been identified. After confirmation by CPython's security team, since these DOS vulnerabilities pose a low threat and are relatively tedious to exploit, we can directly initiate requests in issues to seek assistance from the community for fixes.

Vulnerability Locations (All Fixed):

1. cpython/Lib/posixpath.py

   Line 290 in f49a07b

   def expandvars(path):

2. cpython/Lib/ntpath.py

   Line 403 in cb8a72b

   def expandvars(path):

   
   Repair Status:

• Vulnerabilities have been fixed in gh-136065: Fix quadratic complexity in os.path.expandvars() #134952 by @serhiy-storchaka and @Wulian233.

Common Information:

• CPython Version: main branch
• Operating System: Linux
• Credits: Finder is kexinoh (Xiangfan Wu) from QI-ANXIN Technology Research Institute.

Linked PRs

• gh-136065: Fix quadratic complexity in os.path.expandvars() #134952