KEMBAR78
[3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) by hartwork · Pull Request #139527 · python/cpython · GitHub
Skip to content

Conversation

@hartwork
Copy link
Contributor

@hartwork hartwork commented Oct 2, 2025

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is, parsers created by xml.parsers.expat.ParserCreate(), as:

  • parser.SetAllocTrackerActivationThreshold(threshold), and
  • parser.SetAllocTrackerMaximumAmplification(max_factor).

(cherry picked from commit f04bea4)

CC @picnixz


📚 Documentation preview 📚: https://cpython-previews--139527.org.readthedocs.build/

picnixz and others added 4 commits October 2, 2025 23:47
CVE-2025-59375) (pythonGH-139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.
(cherry picked from commit f04bea4)

Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
…on API (python#139366)

Fix some typos left in f04bea4,
and simplify some internal functions to ease maintenance of future
mitigation APIs.

(cherry picked from commit 68a1778)
@picnixz
Copy link
Member

picnixz commented Oct 7, 2025

To have a good synchronization, we'll also delay 3.10 to 3.13 backports for their next release cycle (see #139359 (comment)).

@picnixz picnixz self-assigned this Oct 7, 2025
@ambv
Copy link
Contributor

ambv commented Oct 8, 2025

I set DO-NOT-MERGE to avoid confusion. Unset that when you think we should be releasing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants