CVE-2025-12084 | THREATINT

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

PUBLISHED Reserved 2025-10-22 | Published 2025-12-03 | Updated 2025-12-05 | Assigner PSF

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Product status

Default status

unaffected

Any version before 3.13.11

affected

3.14.0 (python) before 3.14.2

affected

3.15.0a1 (python) before 3.15.0

affected

Credits

Jacob Walls reporter

Shai Berger reporter

Natalia Bidart reporter

Seth Larson coordinator

References

github.com/python/cpython/pull/142146 patch

github.com/python/cpython/issues/142145 issue-tracking

github.com/...ommit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 patch

github.com/...ommit/027f21e417b26eed4505ac2db101a4352b7c51a0 patch

github.com/...ommit/ddcd2acd85d891a53e281c773b3093f9db953964 patch

cve.org (CVE-2025-12084)

nvd.nist.gov (CVE-2025-12084)