CVE-2025-12084 Overview
CVE-2025-12084 is an algorithmic complexity vulnerability in the Python xml.dom.minidom module. When applications build nested elements using methods such as appendChild() that depend on _clear_id_cache(), the underlying algorithm exhibits quadratic time complexity. Attackers can submit deeply nested XML documents to trigger excessive CPU consumption and degrade application availability.
The issue affects the CPython reference implementation maintained by the Python Software Foundation. It is tracked as CWE-407: Inefficient Algorithmic Complexity.
Critical Impact
Remote attackers can exhaust CPU resources by submitting deeply nested XML documents to applications that parse or build XML trees with xml.dom.minidom, resulting in denial of service.
Affected Products
- Python CPython development branch versions including 3.15.0 alpha1
- Python CPython development branch version 3.15.0 alpha2
- Applications using xml.dom.minidom for nested element construction
Discovery Timeline
- 2025-12-03 - CVE-2025-12084 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-12084
Vulnerability Analysis
The vulnerability resides in xml.dom.minidom, Python's standard library module for minimal Document Object Model (DOM) parsing. Methods like appendChild() invoke _clear_id_cache() to invalidate cached element identifiers when the tree is modified. The cache invalidation routine traverses ancestors or descendants in a way that produces quadratic complexity as the document depth grows.
Processing a document with N nested elements requires work proportional to N². A modest-looking input of several thousand nested nodes can therefore consume seconds to minutes of CPU time on a single request. Applications that parse untrusted XML or build DOM trees from attacker-controlled structures are exposed.
Root Cause
The root cause is inefficient algorithmic complexity [CWE-407] in the internal cache-clearing logic invoked by DOM mutation methods. Each insertion into a deeply nested structure repeats work that scales with the existing tree size rather than performing constant-time bookkeeping. See the upstream discussion in the CPython issue tracker for the maintainer analysis.
Attack Vector
The attack is network-reachable and requires no authentication or user interaction, but depends on the target application invoking xml.dom.minidom on attacker-supplied input. A typical exploitation path involves an HTTP endpoint, message queue, or file upload feature that parses XML using minidom.parseString() or constructs DOM trees from external data. The attacker submits a payload composed of thousands of nested elements to trigger the quadratic code path and saturate one or more worker threads.
No verified public proof-of-concept code is available. The vulnerability mechanism is described in prose because no realCodeExamples were supplied; refer to the GitHub pull request 142146 for the technical fix.
Detection Methods for CVE-2025-12084
Indicators of Compromise
- Sustained high CPU utilization in Python worker processes correlated with inbound XML payloads
- HTTP requests containing XML bodies with unusually deep element nesting, often thousands of levels
- Application response time degradation or worker timeouts on endpoints that invoke xml.dom.minidom
- Repeated client requests from a single source containing similarly structured nested XML
Detection Strategies
- Inspect web application and API gateway logs for XML request bodies that exceed reasonable depth or size thresholds
- Enable Python application profiling on parsing endpoints and flag stack frames in xml/dom/minidom.py consuming disproportionate CPU
- Correlate process-level CPU spikes with concurrent XML ingestion events using endpoint or runtime telemetry
Monitoring Recommendations
- Track per-request CPU time and request duration on services that parse XML and alert on outliers
- Monitor Python worker thread saturation, queue depth, and request timeout rates as availability signals
- Capture and retain XML payload metadata such as element count and maximum depth for forensic review
How to Mitigate CVE-2025-12084
Immediate Actions Required
- Inventory all Python services that import xml.dom.minidom and identify those that process untrusted input
- Apply the upstream CPython fix once a stable release containing it is available for your branch
- Enforce request body size limits and XML depth limits at the web server, reverse proxy, or application layer
- Where feasible, replace xml.dom.minidom with defusedxml or a streaming parser such as xml.etree.ElementTree.iterparse() for untrusted input
Patch Information
The CPython maintainers merged the fix through pull request 142146. Key commits include 027f21e4, 08d8e18a, and ddcd2acd. Upgrade to a CPython release that incorporates these commits when one is published for your supported branch.
Workarounds
- Reject XML payloads exceeding a defined maximum nesting depth at the ingress layer before they reach Python parsing code
- Use the defusedxml library, which provides hardened wrappers and configurable limits against XML-based denial of service
- Run XML parsing in isolated worker processes with strict CPU and wall-clock timeouts to contain resource exhaustion
# Configuration example: limit request body size in nginx as a defense-in-depth control
# /etc/nginx/conf.d/xml-limits.conf
client_max_body_size 256k;
client_body_buffer_size 64k;
client_body_timeout 10s;
# Python application-side guard using defusedxml
# pip install defusedxml
# from defusedxml.minidom import parseString
# parseString(payload) # raises on suspicious constructs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
