CVE-2014-2053: getID3 is vulnerable to XML External Entity (XXE)
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85128%
CWE
Published
5/17/2022
Updated
4/23/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
james-heinrich/getid3 | composer | < 1.9.9 | 1.9.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper XML parsing in the XML2array method. The commit diff shows the original implementation didn't properly disable XML external entity loading via libxml_disable_entity_loader(true) before calling simplexml_load_string. This allowed XXE attacks by processing malicious XML input. The patch explicitly adds entity loader disabling and LIBXML_NOENT flag usage, confirming the vulnerability was in this specific function's XML handling logic.