N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-432c-wxpg-m4q3

EPSS Score

CWE

CWE-22

Published

2/7/2025

Updated

2/7/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-432c-wxpg-m4q3

GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag. This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references.

It was discovered that xml2rfc does not respect --allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access flag.

The xml2rfc <= 3.26.0 behaviour:

| | xinclude | XML entity reference | artwork src= | sourcecode src= | |---|---|---|---|---| | without --allow-local-file-access flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below | | with --allow-local-file-access flag | Access any file on filesystem[^1] | Access any file on filesystem[^1] | Access source directory and below | Access source directory and below | Access source directory and below |

[^1]: Access any file of the filesystem with the permissions of the user running xml2rfc can access.

Impact

Anyone running xml2rfc as a service that accepts input from external users is impacted by this issue. Specifying a file in src attribute in artwork or sourcecode elements will cause the contents of that file to appear in xml2rfc’s output results. But that file has to be inside the same directory as the XML input source file. For artwork and sourcecode, xml2rfc will not look above the source file directory.

The proposed new behaviour

Miggo Vulnerability Database

→

GHSA-432c-wxpg-m4q3

GHSA-432c-wxpg-m4q3:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-432c-wxpg-m4q3

EPSS Score

CWE

CWE-22

Published

2/7/2025

Updated

2/7/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
xml2rfc	pip	>= 3.12.0, < 3.27.0	3.27.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key areas:

In parser.py's resolve() method, XML entity references were allowed to access template_dir and source_dir without proper flag checks.
In base.py's check_includes(), XInclude processing lacked centralized access control checks.
In preptool.py's check_src_file_path(), src attributes were resolved without using the new can_access() validations. The commit diff shows these functions were modified to use the new can_access() security checks, indicating they were previously missing proper authorization controls. These functions directly handle file inclusion mechanisms (XML entities, XInclude, and src attributes) described in the vulnerability report.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities

Impact

The proposed new behaviour

GHSA-432c-wxpg-m4q3:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities

Impact

The proposed new behaviour

Workarounds

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities

Impact

The proposed new behaviour

GHSA-432c-wxpg-m4q3:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities

Impact

The proposed new behaviour

Workarounds

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI