Okay, I will maintain a note in the issue regarding the completed repair part. I hope others can complete the remaining sections.

cc @sethmlarson I'm assuming you're aware of this

After confirmation by CPython's security team

@ZeroIntensity Indeed, some of these have been reported to PSRT and I recommended a public issue.

I fixed posixpath in #134927

I fixed posixpath in #134927

Among them, both 17 and 18 belong to path replacement issues. I think you can fix them together, which will accelerate the repair speed. It should be additionally noted that other problems such as the infinite loop vulnerability caused by 17 need to be handled.

As for expandvars(), there is a more efficient way. Also, I suspect there is other quadratic complexity vulnerability here. I am working on this.

As for , there is a more efficient way. Also, I suspect there is other quadratic complexity vulnerability here. I am working on this.expandvars()

Yes, there are still some vulnerabilities.
update: I have added two more.

I may have found a new one:

import pathlib
import time

def create_deep_path(n):
    p = pathlib.PurePath("a")
    for _ in range(n):
        p = pathlib.PurePath(p, p) # Each iteration doubles the number of path segments
    return p
start = time.time()
# 2^20 ≈ 1,000,000
deep_path = create_deep_path(20)
str(deep_path)  # Path resolution is triggered, which consumes a large amount of resources
end = time.time()
print(f"Time taken: {end - start:.2f} seconds")

Possible fix, replace with paths.append(str(arg))

Now: Time taken: 0.51 seconds
Fix: Time taken: 0.24 seconds

@barneygale Can you be confirm this?

Edit: 3.14 3.15 only #130748

_raw_paths contains unjoined parts, so we still them in full:

# The `_raw_paths` slot stores unjoined string paths. This is set in
# the `__init__()` method.
'_raw_paths',

Note that str(...) actually joins the string paths, so the behavior is not the same.