Morph MORPH
SIGN IN SIGN UP
python / cpython UNCLAIMED

The Python programming language

0 0 13 Python

[3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) (#139527)

* [3.12] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.

(cherry picked from commit f04bea44c37793561d753dd4ca6e7cd658137553)
(cherry picked from commit 68a1778b7721f3fb853cd3aa674f7039c2a4df36)
Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com>
S
Sebastian Pipping committed
0e4cd897811651d896c5be9beec803b506131c7c
Parent: d849cf5
Committed by GitHub <noreply@github.com> on 12/17/2025, 2:58:59 PM