Quadratic Algorithm Vulnerability in Python's XML DOM Processing
CVE-2025-12084

6.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
3 December 2025

What is CVE-2025-12084?

The vulnerability arises in Python's xml.dom.minidom methods, specifically related to the appendChild() function, which relies on the _clear_id_cache() method. The algorithm exhibits quadratic behavior when creating excessively nested elements, potentially leading to performance degradation and affecting system availability. Users and developers dealing with complex XML structures should be aware of this issue and monitor their applications for any impacts due to deeply nested document structures.

Affected Version(s)

CPython 0 < 3.13.11

CPython 3.14.0 < 3.14.2

CPython 3.15.0a1 < 3.15.0a3

References

https://github.com/python/cpython/pull/142146
patch
https://github.com/python/cpython/issues/142145
issue-tracking
https://github.com/python/cpython/commit/08d8e18ad81cd45b...
patch

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jacob Walls
Shai Berger
Natalia Bidart
Seth Larson
JSON
.
CVE-2025-12084 : Quadratic Algorithm Vulnerability in Python's XML DOM Processing