_elementree C accelerator doesn’t call XML_SetHashSalt()


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The pyexpat module calls XML_SetHashSalt() to initialize the salt for hash randomization of the XML_Parser struct.

The _elementree C accelerator doesn’t call XML_SetHashSalt().


  • Disclosure date: 2018-09-10 (Python issue bpo-34623 reported)

Fixed In

Python issue

_elementtree.c doesn’t call XML_SetHashSalt().

  • Python issue: bpo-34623
  • Creation date: 2018-09-10
  • Reporter: Christian Heimes


Python’s elementtree C accelerator failed to initialise Expat’s hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat’s internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.


Timeline using the disclosure date 2018-09-10 as reference: