CVE-2025-12084

Advisory lineage Upstream: 0 Downstream: 60
Modified
Published: 03 Dec 2025, 18:55
Last modified:03 Mar 2026, 14:41

Vulnerability Summary

Overall Risk (default)
medium
25/100
CVSS Score
6.3 MEDIUM
v4.0 (cve.org)
EPSS Score
0.13% LOW
0% probability +0.08%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

03 Dec 2025, 18:55
Published
Vulnerability first disclosed
03 Mar 2026, 14:41
Last Modified
Vulnerability information updated

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

CVSS Metrics

  • v4.0MEDIUMScore: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • v4.0MEDIUMScore: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Trends

Current EPSS score: 0.13% Percentile: 32%

Techniques & Countermeasures

  • CWE-407Inefficient Algorithmic Complexity

    An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Affected Systems

  • python software foundationcpython

    < 3.13.11 | < 3.10.20 | ≥ 3.11.0, < 3.11.15 | ≥ 3.12.0, < 3.12.13 | ≥ 3.13.0, < 3.13.11 | ≥ 3.14.0, < 3.14.2 | ≥ 3.15.0a1, < 3.15.0a3

  • pythonpython

    < 3.13.11 | ≥ 3.14.0, < 3.14.2 | 3.15.0:alpha1 | 3.15.0:alpha2

References (14)