CVE-2025-12084

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

CVSS v3.1 Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-407 CWE-407

Affected Products

Vendor	Product	Versions
python	python	< 3.13.11
python	python	3.14.0 — 3.14.2
python	python	All
python	python	All

References

Advisories & Patches

https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0 https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4 https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964 https://github.com/python/cpython/issues/142145 https://github.com/python/cpython/pull/142146

Other References

Frequently Asked Questions

What is CVE-2025-12084? +

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents. It has a CVSS v3.1 base score of 5.3 (MEDIUM).

How severe is CVE-2025-12084? +

CVE-2025-12084 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.

What products are affected by CVE-2025-12084? +

CVE-2025-12084 affects products from python, specifically: python. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-12084? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-42245

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has …

CVE-2026-43967

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over …

CVE-2026-44378

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause …

CVE-2026-40476

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons …

CVE-2026-48959

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the …

CVE-2026-42304 7.5

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to …