Skip to content

using xml.etree.ElementTree.fromstring shouldn't raise errors in python versions 3.11 and up #1344

New issue
New issue
Open
Open
using xml.etree.ElementTree.fromstring shouldn't raise errors in python versions 3.11 and up#1344
Labels
bugSomething isn't working
@iscai-msft

Description

@iscai-msft
iscai-msft
opened on Dec 15, 2025

Describe the bug

When using xml.etree.ElementTree.fromstring on code, I get this warning

Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called

First off, I don't think this warning is valid anymore. According to the Python documentation:

  1. Modern Python versions are safe: Python 3.11-3.15 include expat 2.7.1, which is not vulnerable to XXE attacks. The Python documentation previously included a vulnerability table showing which XML parsers were safe, but this table was recently removed because it is now safe (see: https://github.com/python/cpython/pull/135294/files).
  2. ElementTree doesn't expand external entities by default: ElementTree uses expat internally and doesn't expand DTDs or external entities, so it shouldn't be vulnerable to the worst known issues.
  3. There is no CVE for modern Python versions: The CWE-611 categorization exists, but there is no corresponding CVE that links it to recent Python versions because the vulnerability has been addressed.

To me, this seems that the Python team is signaling that ElementTree.fromstring() is now safe to use.

If however I'm missing something, and there should still be a warning here, there should be a different suggestion. The current suggestion to switch to defusedxml is out of date, since defusedxml is now a deprecated library. Additionally, the link to the security documentation is a url that doesn't exist: https://bandit.readthedocs.io/en/1.9.1/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree.

Reproduction steps

1.import `xml.etree.ElementTree`
2.use `ElementTree.fromstring("hello")`
3.run bandit on code
...

Expected behavior

No warning. If there is a warning, it should point to a non-deprecated library.

Bandit version

1.9.1 (Default)

Python version

3.14 (Default)

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions