VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2014· Updated May 6, 2026

CVE-2014-4374

CVE-2014-4374

Description

NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NSXMLParser in iOS before 8 is vulnerable to XXE, allowing attackers to read arbitrary files via crafted XML.

Vulnerability

NSXMLParser in Foundation on iOS versions prior to 8 fails to disable external entity processing, making it susceptible to XML External Entity (XXE) attacks. An attacker can craft XML data containing an external entity declaration and a reference to that entity [1]. This affects all iOS devices running iOS 7.x and earlier.

Exploitation

An attacker needs to deliver a crafted XML document to the target device, for example via a malicious app or website that the user visits. The NSXMLParser processes the XML, resolves the external entity, and includes its content in the parsed output. No special network position or authentication is required beyond the ability to provide XML input to an app using NSXMLParser.

Impact

Successful exploitation allows the attacker to read arbitrary files from the device's file system, such as sensitive user data or credentials. This is an information disclosure vulnerability.

Mitigation

Apple addressed this issue by updating NSXMLParser in iOS 8 [1]. Users should upgrade to iOS 8 or later. There is no workaround for affected versions. Note that OS X Mavericks v10.9.5 also included a fix for this issue [2], but the primary impact is on iOS.

References
  1. About the security content of iOS 8 - Apple Support
  2. About the security content of OS X Mavericks v10.9.5 and Security Update 2014-004 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

12
  • Apple Inc./Iphone Os10 versions
    cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*+ 9 more
    • cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*range: <=7.1.2
    • cpe:2.3:o:apple:iphone_os:7.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:iphone_os:7.1.1:*:*:*:*:*:*:*
  • Apple Inc./Mac Os X
    cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
    Range: <=10.9.4
  • Apple Inc./iOSllm-fuzzy
    Range: <8.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.