CVE-2019-1000007
Description
aioxmpp version 0.10.2 and earlier contains a Improper Handling of Structural Elements vulnerability in Stanza Parser, rollback during error processing, aioxmpp.xso.model.guard function that can result in Denial of Service, Other. This attack appears to be exploitable via Remote. A crafted stanza can be sent to an application which uses the vulnerable components to either inject data in a different context or cause the application to reconnect (potentially losing data). This vulnerability appears to have been fixed in 0.10.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2019-1000007: aioxmpp 0.10.2 and earlier mishandles XML stanza parsing errors, enabling remote DoS or data injection.
Vulnerability
CVE-2019-1000007 is an improper handling of structural elements vulnerability in the aioxmpp library (version 0.10.2 and earlier). The flaw resides in the Stanza Parser and specifically the aioxmpp.xso.model.guard function, which fails to correctly rollback state when an error occurs during XML stanza parsing. This allows an attacker to send a crafted stanza that causes the parser to enter an inconsistent state [1][2][3][4].
Exploitation
An attacker with network access to an application using aioxmpp can send a specially crafted XMPP stanza. The vulnerable parser does not properly handle exceptions raised during the processing of start/end elements, leading to incorrect internal state management. The attack does not require authentication, as the crafted stanza is processed before any authorization checks [1][2][3][4].
Impact
Successful exploitation results in either denial of service (e.g., causing the application to disconnect and potentially lose data) or data injection, where attacker-controlled data may be placed in a different XML context than intended. The vulnerability can also force the application to reconnect, potentially losing ongoing data [1][2].
Mitigation
The vulnerability is fixed in aioxmmp version 0.10.3. Users should upgrade to this version or later. No workarounds are documented; updating is the recommended mitigation [1][2][3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aioxmppPyPI | < 0.10.3 | 0.10.3 |
Affected products
3Patches
229ff0838a40fxso: fix parser error handling
3 files changed · +124 −19
aioxmpp/xso/model.py+19 −19 modified@@ -2536,26 +2536,26 @@ def enforce_unknown_child_policy(policy, ev_args, error_handler=None): def guard(dest, ev_args): - next(dest) depth = 1 - while True: - ev = yield - if ev[0] == "start": - depth += 1 - elif ev[0] == "end": - depth -= 1 - try: - dest.send(ev) - except StopIteration as exc: - return exc.value - except Exception as exc: - error = exc - break - while depth > 0: - ev_type, *_ = yield - if ev_type == "end": - depth -= 1 - raise error + try: + next(dest) + while True: + ev = yield + if ev[0] == "start": + depth += 1 + elif ev[0] == "end": + depth -= 1 + try: + dest.send(ev) + except StopIteration as exc: + return exc.value + finally: + while depth > 0: + ev_type, *_ = yield + if ev_type == "end": + depth -= 1 + elif ev_type == "start": + depth += 1 def lang_attr(instance, ctx):
docs/api/changelog.rst+14 −0 modified@@ -52,6 +52,20 @@ Version 0.11 * :mod:`aioxmpp.ibb` (:xep:`47`) Support for In-Band Bytestreams. +* Fix incorrect error handling in :mod:`aioxmpp.xso` when a supressing + :meth:`aioxmpp.xso.XSO.xso_error_handler` is in use. + + Under certain circumstances, it is possible that the handling of supressed + error causes another error later on because the parsing stack mis-counts the + depth in which it is inside the XML tree. This makes elements appear in the + wrong place, typically leading to further errors. + + In the worst case, using a supressing + :meth:`~aioxmpp.xso.XSO.xso_error_handler` in specific circumstances can be + vulnerable to denial of service and data injection into the XML stream. + + (A CVE will be allocated for this.) + .. _api-changelog-0.10: Version 0.10
tests/xso/test_model.py+91 −0 modified@@ -4933,6 +4933,97 @@ def test_return_only_after_end_even_on_exception_and_reraise(self): ctx.exception ) + def test_eat_end_after_exception_on_start(self): + class FooException(Exception): + pass + + def processor(): + raise FooException() + yield + + cmd_sequence = [ + ("start", None, "foo", {}), + ("end",), + ] + + dest = processor() + guard = xso_model.guard(dest, cmd_sequence[0][1:]) + next(guard) + + with self.assertRaises(FooException): + guard.send(cmd_sequence[1]) + + def test_handles_increasing_nesting_while_dropping(self): + cmd_sequence = [ + ("start", None, "foo", {}), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("end",), + ] + + dest = unittest.mock.MagicMock() + guard = xso_model.guard(dest, cmd_sequence[0][1:]) + next(guard) + + for cmd in cmd_sequence[1:2]: + guard.send(cmd) + + exc = ValueError() + dest.send.side_effect = exc + + for cmd in cmd_sequence[2:-1]: + guard.send(cmd) + + with self.assertRaises(ValueError) as ctx: + guard.send(cmd_sequence[-1]) + + self.assertSequenceEqual( + [ + unittest.mock.call.__next__(), + ]+[ + unittest.mock.call.send(cmd) + for cmd in cmd_sequence[1:3] + ], + dest.mock_calls + ) + + self.assertIs( + exc, + ctx.exception + ) + def test_handles_increasing_nesting_while_after_error_during_start(self): + class FooException(Exception): + pass + + def processor(): + raise FooException() + yield + + cmd_sequence = [ + ("start", None, "foo", {}), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("end",), + ] + + dest = processor() + guard = xso_model.guard(dest, cmd_sequence[0][1:]) + next(guard) + + for cmd in cmd_sequence[1:-1]: + guard.send(cmd) + + with self.assertRaises(FooException): + guard.send(cmd_sequence[-1]) + class TestSAXDriver(unittest.TestCase): def setUp(self):
f151f920f439xso: fix parser error handling
3 files changed · +127 −19
aioxmpp/xso/model.py+19 −19 modified@@ -2536,26 +2536,26 @@ def enforce_unknown_child_policy(policy, ev_args, error_handler=None): def guard(dest, ev_args): - next(dest) depth = 1 - while True: - ev = yield - if ev[0] == "start": - depth += 1 - elif ev[0] == "end": - depth -= 1 - try: - dest.send(ev) - except StopIteration as exc: - return exc.value - except Exception as exc: - error = exc - break - while depth > 0: - ev_type, *_ = yield - if ev_type == "end": - depth -= 1 - raise error + try: + next(dest) + while True: + ev = yield + if ev[0] == "start": + depth += 1 + elif ev[0] == "end": + depth -= 1 + try: + dest.send(ev) + except StopIteration as exc: + return exc.value + finally: + while depth > 0: + ev_type, *_ = yield + if ev_type == "end": + depth -= 1 + elif ev_type == "start": + depth += 1 def lang_attr(instance, ctx):
docs/api/changelog.rst+17 −0 modified@@ -613,6 +613,23 @@ Version 0.10.2 * Make compatible with Python 3.7. +Version 0.10.3 +-------------- + +* Fix incorrect error handling in :mod:`aioxmpp.xso` when a supressing + :meth:`aioxmpp.xso.XSO.xso_error_handler` is in use. + + Under certain circumstances, it is possible that the handling of supressed + error causes another error later on because the parsing stack mis-counts the + depth in which it is inside the XML tree. This makes elements appear in the + wrong place, typically leading to further errors. + + In the worst case, using a supressing + :meth:`~aioxmpp.xso.XSO.xso_error_handler` in specific circumstances can be + vulnerable to denial of service and data injection into the XML stream. + + (A CVE will be allocated for this.) + .. _api-changelog-0.9: Version 0.9
tests/xso/test_model.py+91 −0 modified@@ -4933,6 +4933,97 @@ def test_return_only_after_end_even_on_exception_and_reraise(self): ctx.exception ) + def test_eat_end_after_exception_on_start(self): + class FooException(Exception): + pass + + def processor(): + raise FooException() + yield + + cmd_sequence = [ + ("start", None, "foo", {}), + ("end",), + ] + + dest = processor() + guard = xso_model.guard(dest, cmd_sequence[0][1:]) + next(guard) + + with self.assertRaises(FooException): + guard.send(cmd_sequence[1]) + + def test_handles_increasing_nesting_while_dropping(self): + cmd_sequence = [ + ("start", None, "foo", {}), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("end",), + ] + + dest = unittest.mock.MagicMock() + guard = xso_model.guard(dest, cmd_sequence[0][1:]) + next(guard) + + for cmd in cmd_sequence[1:2]: + guard.send(cmd) + + exc = ValueError() + dest.send.side_effect = exc + + for cmd in cmd_sequence[2:-1]: + guard.send(cmd) + + with self.assertRaises(ValueError) as ctx: + guard.send(cmd_sequence[-1]) + + self.assertSequenceEqual( + [ + unittest.mock.call.__next__(), + ]+[ + unittest.mock.call.send(cmd) + for cmd in cmd_sequence[1:3] + ], + dest.mock_calls + ) + + self.assertIs( + exc, + ctx.exception + ) + def test_handles_increasing_nesting_while_after_error_during_start(self): + class FooException(Exception): + pass + + def processor(): + raise FooException() + yield + + cmd_sequence = [ + ("start", None, "foo", {}), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("start", None, "bar", {}), + ("text", "fnord"), + ("end",), + ("end",), + ] + + dest = processor() + guard = xso_model.guard(dest, cmd_sequence[0][1:]) + next(guard) + + for cmd in cmd_sequence[1:-1]: + guard.send(cmd) + + with self.assertRaises(FooException): + guard.send(cmd_sequence[-1]) + class TestSAXDriver(unittest.TestCase): def setUp(self):
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6m9g-jr8c-cqw3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1000007ghsaADVISORY
- github.com/horazont/aioxmpp/commit/29ff0838a40f58efe30a4bbcea95aa8dab7da475ghsaWEB
- github.com/horazont/aioxmpp/commit/f151f920f439d97d4103fc11057ed6dc34fe98beghsaWEB
- github.com/horazont/aioxmpp/pull/268ghsax_refsource_MISCWEB
- github.com/horazont/aioxmpp/security/advisories/GHSA-6m9g-jr8c-cqw3ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/aioxmpp/PYSEC-2019-1.yamlghsaWEB
News mentions
0No linked articles in our index yet.