CVE-2025-12084:

XML parsing vulnerability in Python's xml.dom.minidom module can cause availability issues when building excessively nested documents.

Score
A numerical rating that indicates how dangerous this vulnerability is.

5.3Medium

Published Date:Dec 3, 2025
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.0
EPSS Percentile:15%

Exploitability

Score:3.9
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:NONE
Scope:UNCHANGED

Impact

Score:1.4
Confidentiality Impact:NONE
Integrity Impact:NONE
Availability Impact:LOW

Description Preview

XML parsing vulnerability in Python's xml.dom.minidom module can cause availability issues when building excessively nested documents.

Overview

CVE-2025-12084 affects the xml.dom.minidom module in Python, presenting a medium severity vulnerability with a CVSS v4.0 base score of 6.3. The issue stems from an inefficient algorithm in methods such as appendChild() when dealing with deeply nested XML structures. This vulnerability can be exploited remotely with low attack complexity and without requiring privileges or user interaction. While it does not impact confidentiality or integrity, it can significantly affect the availability of systems processing complex XML documents. The vulnerability is classified under CWE-407, which relates to algorithmic complexity issues.

Remediation

To address this vulnerability, users should update to the latest version of Python that includes the fix for this issue. The patch optimizes the _clear_id_cache() function to improve performance when handling deeply nested XML structures. System administrators and developers should also consider implementing input validation to limit the depth of XML document nesting and employing resource usage monitoring to detect potential exploitation attempts. Additionally, implementing rate limiting or timeout mechanisms for XML parsing operations can help mitigate the impact of this vulnerability.