CVE-2025-12084
📋 TL;DR
CVE-2025-12084 is a denial-of-service vulnerability in Python's xml.dom.minidom module where building deeply nested XML documents triggers quadratic time complexity, causing excessive CPU consumption and potential service unavailability. This affects any Python application using xml.dom.minidom methods like appendChild() to process untrusted XML input. The vulnerability impacts availability but does not allow code execution or data compromise.
💻 Affected Systems
- Python
- Applications using Python's xml.dom.minidom module
📦 What is this software?
Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →Python by Python
Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.
Learn more about Python →⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion when processing maliciously crafted deeply nested XML documents, leading to denial of service for legitimate users.
Likely Case
Degraded performance or temporary service disruption when processing unusually complex XML documents, particularly in applications handling user-generated XML content.
If Mitigated
Minimal impact with proper input validation and resource limits, though performance degradation may still occur with legitimate complex documents.
🎯 Exploit Status
Exploitation requires the attacker to supply XML input to vulnerable applications. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Python security releases for specific version - patches are in CPython commits 027f21e, 08d8e18, 27648a1, 41f4687, 57937a8
Vendor Advisory: https://github.com/python/cpython/security/advisories
Restart Required: Yes
Instructions:
1. Identify Python version in use. 2. Update to latest Python security release. 3. Restart all Python applications and services. 4. Test XML processing functionality after update.
🔧 Temporary Workarounds
Input Validation and Depth Limiting
allImplement XML document depth validation before processing to prevent excessively nested structures.
# Python example: Validate XML depth before processing
import xml.etree.ElementTree as ET
from xml.dom import minidom
def validate_xml_depth(xml_string, max_depth=100):
root = ET.fromstring(xml_string)
def check_depth(elem, current=1):
if current > max_depth:
raise ValueError(f"XML depth exceeds limit of {max_depth}")
for child in elem:
check_depth(child, current+1)
check_depth(root)
return True
Use Alternative XML Parsers
allReplace xml.dom.minidom usage with xml.etree.ElementTree or lxml which are not affected by this specific vulnerability.
# Replace minidom with ElementTree
# Instead of: from xml.dom import minidom
# Use: import xml.etree.ElementTree as ET
🧯 If You Can't Patch
- Implement strict input validation to reject XML documents with excessive nesting depth
- Deploy rate limiting and resource quotas to prevent CPU exhaustion from malicious requests
🔍 How to Verify
Check if Vulnerable:
Check if application uses xml.dom.minidom methods like appendChild() with potentially untrusted XML input. Review code for imports from xml.dom.minidom.Check Version:
python --version or python -c "import sys; print(sys.version)"Verify Fix Applied:
After patching, test with sample deeply nested XML documents to ensure performance remains stable and no CPU exhaustion occurs.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes during XML processing
- Application timeouts or crashes when handling XML input
- Unusually long processing times for XML documents
Network Indicators:
- Multiple large XML payloads sent to XML processing endpoints
- Repeated XML submissions to trigger resource exhaustion
SIEM Query:
source="application_logs" AND ("xml.dom.minidom" OR "appendChild") AND (cpu_usage>90 OR duration>30s)🔗 References
- https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0
- https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4
- https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437
- https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af
- https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273
- https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907
- https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d
- https://github.com/python/cpython/commit/a46c10ec9d4050ab67b8a932e0859a2ea60c3cb8
- https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8
- https://github.com/python/cpython/commit/c97e87593063d84a2bd9fe7068b30eb44de23dc0
- https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964
- https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53
- https://github.com/python/cpython/issues/142145
- https://github.com/python/cpython/pull/142146
