CVE-2025-12084

Published: December 6, 2025Last modified: January 15, 2026

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Severity score breakdown

Parameter	Value
Base score	5.3
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	NONE
Integrity impact	NONE
Availability impact	LOW
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Notes

This should also bring the fix's regression fix

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	python3	Fixed (3.11.13-r2)
	25 LTS	python3	Fixed (3.12.12-r1)
	Stream	python3	Fixed (3.12.12-r2)
Hardened Containers	23 LTS	python3	Fixed (3.11.13-r2)
	25 LTS	python3	Fixed (3.12.12-r1)
	Stream	python3	Fixed (3.12.12-r2)

References

https://github.com/python/cpython/commit/027f21e417b26eed4505ac2db101a4352b7c51a0
https://github.com/python/cpython/commit/08d8e18ad81cd45bc4a27d6da478b51ea49486e4
https://github.com/python/cpython/commit/27648a1818749ef44c420afe6173af6868715437
https://github.com/python/cpython/commit/41f468786762348960486c166833a218a0a436af
https://github.com/python/cpython/commit/57937a8e5e293f0dcba5115f7b7a11b1e0c9a273
https://github.com/python/cpython/commit/8d2d7bb2e754f8649a68ce4116271a4932f76907
https://github.com/python/cpython/commit/9c9dda6625a2a90d2a06c657eee021d6be19842d
https://github.com/python/cpython/commit/a696ba8b4d42fd632afc9bc88ad830a2e4cceed8
https://github.com/python/cpython/commit/ddcd2acd85d891a53e281c773b3093f9db953964
https://github.com/python/cpython/commit/e91c11449cad34bac3ea55ee09ca557691d92b53
https://github.com/python/cpython/issues/142145
https://github.com/python/cpython/pull/142146
https://github.com/python/cpython/pull/142211