Moderate severityNVD Advisory· Published Aug 6, 2009· Updated Apr 23, 2026
CVE-2009-2625
CVE-2009-2625
Description
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xerces:xercesImplMaven | < 2.10.0 | 2.10.0 |
Affected products
56cpe:2.3:a:oracle:jdk:1.5.0:-:*:*:*:*:*:*+ 32 more
- cpe:2.3:a:oracle:jdk:1.5.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update16:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update18:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update19:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update8:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.5.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update12:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update14:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.6.0:update7:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp2:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:-:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:-:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_web_services:6.2.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:primavera_web_services:6.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_web_services:7.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:primavera_web_services:7.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:apache:xerces2_java:2.9.1:*:*:*:*:*:*:*
Patches
10bdf77af1d4fFixing JIRA Issue #1412: https://issues.apache.org/jira/browse/XERCESJ-1412. Resolves CVE-2009-2625 and a few other issues. We were missing checks for surrogates and well-formedness when scanning system identifiers.
1 file changed · +8 −0
src/org/apache/xerces/impl/XMLScanner.java+8 −0 modified@@ -1027,6 +1027,14 @@ protected void scanExternalID(String[] identifiers, if (XMLChar.isMarkup(c) || c == ']') { fStringBuffer.append((char)fEntityScanner.scanChar()); } + else if (XMLChar.isHighSurrogate(c)) { + scanSurrogates(fStringBuffer); + } + else if (isInvalidLiteral(c)) { + reportFatalError("InvalidCharInSystemID", + new Object[] { Integer.toHexString(c) }); + fEntityScanner.scanChar(); + } } while (fEntityScanner.scanLiteral(quote, ident) != quote); fStringBuffer.append(ident); ident = fStringBuffer;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
69- sunsolve.sun.com/search/document.donvdBroken LinkPatchWEB
- sunsolve.sun.com/search/document.donvdBroken LinkPatchVendor AdvisoryWEB
- svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.javanvdPatchVendor AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/10/22/9nvdMailing ListPatchThird Party AdvisoryWEB
- lists.apple.com/archives/security-announce/2009/Sep/msg00000.htmlnvdMailing ListThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlnvdThird Party AdvisoryWEB
- marc.infonvdMailing ListThird Party AdvisoryWEB
- secunia.com/advisories/36162nvdThird Party AdvisoryWEB
- secunia.com/advisories/36176nvdThird Party AdvisoryWEB
- secunia.com/advisories/36180nvdThird Party AdvisoryWEB
- secunia.com/advisories/36199nvdThird Party AdvisoryWEB
- secunia.com/advisories/37300nvdThird Party AdvisoryWEB
- secunia.com/advisories/37460nvdThird Party AdvisoryWEB
- secunia.com/advisories/37671nvdThird Party AdvisoryWEB
- secunia.com/advisories/37754nvdThird Party AdvisoryWEB
- secunia.com/advisories/38231nvdThird Party AdvisoryWEB
- secunia.com/advisories/38342nvdThird Party AdvisoryWEB
- secunia.com/advisories/43300nvdThird Party AdvisoryWEB
- secunia.com/advisories/50549nvdThird Party AdvisoryWEB
- slackware.com/security/viewer.phpnvdThird Party AdvisoryWEB
- www.cert.fi/en/reports/2009/vulnerability2009085.htmlnvdThird Party AdvisoryWEB
- www.codenomicon.com/labs/xml/nvdThird Party Advisory
- www.debian.org/security/2010/dsa-1984nvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.mandriva.com/security/advisoriesnvdThird Party AdvisoryWEB
- www.networkworld.com/columnists/2009/080509-xml-flaw.htmlnvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/09/06/1nvdMailing ListThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/10/23/6nvdMailing ListThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2009/10/26/3nvdMailing ListThird Party AdvisoryWEB
- www.oracle.com/technetwork/topics/security/cpujan2010-084891.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2009-1615.htmlnvdThird Party AdvisoryWEB
- www.redhat.com/support/errata/RHSA-2011-0858.htmlnvdThird Party AdvisoryWEB
- www.securityfocus.com/archive/1/507985/100/0/threadednvdThird Party AdvisoryVDB EntryWEB
- www.securityfocus.com/bid/35958nvdThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/idnvdThird Party AdvisoryVDB EntryWEB
- www.ubuntu.com/usn/USN-890-1nvdThird Party AdvisoryWEB
- www.us-cert.gov/cas/techalerts/TA09-294A.htmlnvdThird Party AdvisoryUS Government ResourceWEB
- www.us-cert.gov/cas/techalerts/TA10-012A.htmlnvdThird Party AdvisoryUS Government ResourceWEB
- www.vmware.com/security/advisories/VMSA-2009-0016.htmlnvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-334p-wv2m-w3vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2009-2625ghsaADVISORY
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520nvdThird Party AdvisoryWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356nvdThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.htmlnvdMailing ListThird Party AdvisoryWEB
- www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.htmlnvdMailing ListThird Party AdvisoryWEB
- rhn.redhat.com/errata/RHSA-2012-1232.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2012-1537.htmlnvdBroken LinkWEB
- sunsolve.sun.com/search/document.donvdBroken LinkWEB
- sunsolve.sun.com/search/document.donvdBroken LinkWEB
- www.codenomicon.com/labs/xmlghsaWEB
- www.oracle.com/technetwork/topics/security/cpuoct2009-096303.htmlnvdBroken LinkWEB
- www.vupen.com/english/advisories/2009/2543nvdPermissions RequiredWEB
- www.vupen.com/english/advisories/2009/3316nvdPermissions RequiredWEB
- www.vupen.com/english/advisories/2011/0359nvdPermissions RequiredWEB
- github.com/apache/xerces2-j/commit/0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12bghsaWEB
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3EghsaWEB
- rhn.redhat.com/errata/RHSA-2009-1199.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1200.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1201.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1636.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1637.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1649.htmlnvdBroken LinkWEB
- rhn.redhat.com/errata/RHSA-2009-1650.htmlnvdBroken LinkWEB
- snyk.io/vuln/SNYK-JAVA-XERCES-32014ghsaWEB
- lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3Envd
News mentions
0No linked articles in our index yet.