CVE-2022-25024: json2xml Uncaught Exception vulnerability
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29619%
CWE
Published
8/23/2023
Updated
9/27/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| json2xml | pip | >= 0, < 3.14.0 | 3.14.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unhandled ExpatError exceptions during XML parsing in the to_xml method. The GitHub patch shows a try-except block was added around parseString().toprettyxml() to catch ExpatError and convert it to a controlled InvalidDataError. Prior to this fix, the lack of exception handling in this specific code path (when self.pretty=True) made it possible for malformed input to crash the application via an uncaught UnicodeDecodeError/ExpatError, matching the CWE-248 and CWE-754 descriptions. The affected code is clearly identified in the pre-patch version of json2xml.py.