Miggo Logo
Miggo Vulnerability Database
GHSA-cfmv-h8fx-85m7

GHSA-cfmv-h8fx-85m7: xml2rfc has an arbitrary file read vulnerability

N/A

CVSS Score

Basic Information

CVE ID
-
GHSA ID
GHSA-cfmv-h8fx-85m7
EPSS Score
-
CWE
CWE-22
Published
8/26/2025
Updated
8/26/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
xml2rfcpip<= 3.30.03.30.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability lies in the processing of <link rel="attachment"> elements in the input XML, which can be abused to read arbitrary files from the local filesystem. The security patch addresses this by introducing a new function, xml2rfc.utils.strip_link_attachments, which explicitly removes these elements from the XML tree.

The patch applies this fix by calling strip_link_attachments within the validate method of the BaseV3Writer class. This indicates that BaseV3Writer.validate is the function that is called early in the processing pipeline and is responsible for ensuring the input is safe. By adding the sanitization step here, the developers have patched the vulnerability before the malicious data can be used by any downstream function that performs the file access. Therefore, BaseV3Writer.validate is the key function that would be observed in a runtime profile when the vulnerability is triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n **n*r*tin* P** *il*s, t*is vuln*r**ility *llows *n *tt**k*r to r*** *r*itr*ry *il*s *rom t** *il*syst*m *y inj**tin* m*li*ious link *l*m*nt into t** XML. ### Work*roun*s T*st untrust** input wit* `link` *l*m*nts wit* `r*l="*tt***m*nt

Reasoning

T** vuln*r**ility li*s in t** pro**ssin* o* `<link r*l="*tt***m*nt">` *l*m*nts in t** input XML, w*i** **n ** **us** to r*** *r*itr*ry *il*s *rom t** lo**l *il*syst*m. T** s**urity p*t** ***r*ss*s t*is *y intro*u*in* * n*w *un*tion, `xml*r**.utils.st