Morph MORPH
SIGN IN SIGN UP
python / cpython UNCLAIMED

The Python programming language

0 0 16 Python

[3.13] gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (GH-139234) (#139367)

* gh-90949: add Expat API to prevent XML deadly allocations (CVE-2025-59375) (#139234)

Expose the XML Expat 2.7.2 mitigation APIs to disallow use of
disproportional amounts of dynamic memory from within an Expat
parser (see CVE-2025-59375 for instance).

The exposed APIs are available on Expat parsers, that is,
parsers created by `xml.parsers.expat.ParserCreate()`, as:

- `parser.SetAllocTrackerActivationThreshold(threshold)`, and
- `parser.SetAllocTrackerMaximumAmplification(max_factor)`.

(cherry picked from commit f04bea44c37793561d753dd4ca6e7cd658137553)
(cherry picked from commit 68a1778b7721f3fb853cd3aa674f7039c2a4df36)
S
Sebastian Pipping committed
bc36bd1786b8921546b70d745aef3912af588bbb
Parent: 6ba31ca
Committed by GitHub <noreply@github.com> on 11/2/2025, 12:39:11 PM