GHSA-9mv7-3c64-mmqw

Опубликовано: 10 сент. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

xml2rfc is vulnerable to arbitrary file reads through prepped files

Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

Workarounds

Test untrusted input with link elements with rel="attachment" before processing.

References

This is related to GHSA-cfmv-h8fx-85m7.

Ссылки

https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw
https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0
https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2

Пакеты

Наименование

xml2rfc

pip

Затронутые версииВерсия исправления

< 3.30.2

3.30.2

8.7 High

CVSS4

CVE ID

CVE-2025-11059