CVE-2025-12084 — Inefficient Algorithmic Complexity in Software Foundation Cpython

CWE-407 — Inefficient Algorithmic Complexity CWE-770 — Allocation of Resources Without Limits or Throttling CWE-122 — Heap-based Buffer Overflow12 documents8 sources

Severity

6.3MEDIUMNVD

OSV5.7

EPSS

0.1%

top 82.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython Python

Timeline

PublishedDec 3

Latest updateMar 19

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDpython/python3.14.0 — 3.14.2+2

▶CVEListV5python_software_foundation/cpython3.11.0 — 3.11.15+5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

python2.7 vulnerabilities↗2026-03-19

▶

OSV

python3.14, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4 vulnerabilities↗2026-02-05

▶

CVEList

Quadratic complexity in node ID cache clearing↗2025-12-03

▶

GHSA

GHSA-hfqx-732w-xrrw: When building nested elements using xml↗2025-12-03

▶

OSV

CVE-2025-12084: When building nested elements using xml↗2025-12-03

▶

📋Vendor Advisories

Ubuntu

Python 2.7 vulnerabilities↗2026-03-19

▶

Ubuntu

Python vulnerabilities↗2026-02-05

▶

Microsoft

Quadratic complexity in node ID cache clearing↗2025-12-09

▶

Red Hat

cpython: python: cpython: Quadratic algorithm in xml.dom.minidom leads to denial of service↗2025-12-03

▶

Microsoft

Rsync: heap buffer overflow in rsync due to improper checksum length handling↗2025-01-14

▶