Miggo Logo
Miggo Vulnerability Database
CVE-2022-25024

CVE-2022-25024: json2xml Uncaught Exception vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-25024
GHSA ID
GHSA-8rj5-2857-877j
EPSS Score
0.29619%
CWE
CWE-248
Published
8/23/2023
Updated
9/27/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
json2xmlpip>= 0, < 3.14.03.14.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unhandled ExpatError exceptions during XML parsing in the to_xml method. The GitHub patch shows a try-except block was added around parseString().toprettyxml() to catch ExpatError and convert it to a controlled InvalidDataError. Prior to this fix, the lack of exception handling in this specific code path (when self.pretty=True) made it possible for malformed input to crash the application via an uncaught UnicodeDecodeError/ExpatError, matching the CWE-248 and CWE-754 descriptions. The affected code is clearly identified in the pre-patch version of json2xml.py.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** json*xml p**k*** *or Pyt*on *llows *n *rror in typ**o** ***o*in* *n**lin* * r*mot* *tt**k t**t **n l*** to *n *x**ption, **usin* * **ni*l o* s*rvi**.

Reasoning

T** vuln*r**ility st*ms *rom un**n*l** *xp*t*rror *x**ptions *urin* XML p*rsin* in t** to_xml m*t*o*. T** *it*u* p*t** s*ows * try-*x**pt *lo*k w*s ***** *roun* p*rs*Strin*().topr*ttyxml() to **t** *xp*t*rror *n* *onv*rt it to * *ontroll** Inv*li***t