Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
[3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)#139527
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
CVE-2025-59375) (pythonGH-139234)Expose the XML Expat 2.7.2 mitigation APIs to disallow use ofdisproportional amounts of dynamic memory from within an Expatparser (seeCVE-2025-59375 for instance).The exposed APIs are available on Expat parsers, that is,parsers created by `xml.parsers.expat.ParserCreate()`, as:- `parser.SetAllocTrackerActivationThreshold(threshold)`, and- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.(cherry picked from commitf04bea4)Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
…on API (python#139366)Fix some typos left inf04bea4,and simplify some internal functions to ease maintenance of futuremitigation APIs.(cherry picked from commit68a1778)
picnixz commentedOct 7, 2025
To have a good synchronization, we'll also delay 3.10 to 3.13 backports for their next release cycle (see#139359 (comment)). |
ambv commentedOct 8, 2025
I set DO-NOT-MERGE to avoid confusion. Unset that when you think we should be releasing this. |
picnixz left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The 22 additional lines are in the clinic file so all good.
hartwork commentedNov 22, 2025
@Yhg1s do you have a minute for this? 🙏 |
hartwork commentedDec 17, 2025
@Yhg1s do you have a minute? 🙏 |
0e4cd89 intopython:3.12Uh oh!
There was an error while loading.Please reload this page.
hartwork commentedDec 17, 2025
Thanks! 🙏 |
Uh oh!
There was an error while loading.Please reload this page.
Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (seeCVE-2025-59375 for instance).
The exposed APIs are available on Expat parsers, that is, parsers created by
xml.parsers.expat.ParserCreate(), as:parser.SetAllocTrackerActivationThreshold(threshold), andparser.SetAllocTrackerMaximumAmplification(max_factor).(cherry picked from commitf04bea4)
CC@picnixz
📚 Documentation preview 📚:https://cpython-previews--139527.org.readthedocs.build/