VYPR
← All advisories
Critical severityOSV Advisory· Published Jan 4, 2019· Updated Aug 4, 2024

CVE-2019-5312

CVE-2019-5312

Description

An XXE vulnerability in weixin-java-tools v3.3.0's BaseWxPayResult.java allows attackers to read files or perform SSRF via XML external entities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XXE vulnerability in weixin-java-tools v3.3.0's BaseWxPayResult.java allows attackers to read files or perform SSRF via XML external entities.

Vulnerability

The getXmlDoc method in BaseWxPayResult.java of weixin-java-tools v3.3.0 is vulnerable to XML External Entity (XXE) injection. This issue arises due to an incomplete fix for CVE-2018-20318. The XML parser does not disable DOCTYPE declarations or external entity processing, allowing malicious XML input to be processed. The affected version is v3.3.0 [1][3].

Exploitation

An attacker can send a crafted XML payload containing external entity references to the application. This can be achieved via any input that triggers getXmlDoc, such as payment callback notifications. No authentication is required if the endpoint is exposed; the attacker only needs to supply a malicious XML string. By defining an external entity pointing to a local file or a remote URL, the parser will retrieve and include the entity's content in the parsed document [1][3].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server file system (e.g., configuration files/keys) or perform Server-Side Request Forgery (SSRF) attacks to internal resources. This can lead to information disclosure, privilege escalation, or further compromise of the system [1][3].

Mitigation

The vulnerability was fixed in commit `8ec61d1328f50e23cd14285a950ca57a088b32b2` [2] by adding the feature http://apache.org/xml/features/disallow-doctype-decl set to true, which disallows DOCTYPE declarations. Users should update to a version that includes this commit. If immediate update is not possible, a workaround is to manually apply the same change to the XML parser configuration in BaseWxPayResult.java [2][3]. No known KEV listing.

References
  1. NVD - CVE-2019-5312
  2. #903 disable DOCTYPE to fix XXE Vulnerability · binarywang/WxJava@8ec61d1
  3. XXE Vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.github.binarywang:weixin-java-commonMaven
< 3.3.2.B3.3.2.B

Affected products

2

Patches

1
8ec61d1328f5

#903 disable DOCTYPE to fix XXE Vulnerability

https://github.com/Wechat-Group/WxJavaBinary WangJan 10, 2019via ghsa
commit
4 files changed · +8 1
  • weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java+1 0 modified
    @@ -39,6 +39,7 @@ protected DocumentBuilder initialValue() {
       try {
         final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
         factory.setExpandEntityReferences(false);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         return factory.newDocumentBuilder();
       } catch (ParserConfigurationException exc) {
         throw new IllegalArgumentException(exc);
  • weixin-java-common/src/test/java/me/chanjar/weixin/common/util/crypto/WxCryptUtilTest.java+3 0 modified
    @@ -40,6 +40,7 @@ public void testNormal() throws ParserConfigurationException, SAXException, IOEx
 
     DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
     documentBuilderFactory.setExpandEntityReferences(false);
+    documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
     Document document = documentBuilder.parse(new InputSource(new StringReader(encryptedXml)));
 
@@ -83,6 +84,8 @@ public void testValidateSignatureError() throws ParserConfigurationException, SA
       String afterEncrpt = pc.encrypt(this.replyMsg);
       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
       dbf.setExpandEntityReferences(false);
+      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
       DocumentBuilder db = dbf.newDocumentBuilder();
       StringReader sr = new StringReader(afterEncrpt);
       InputSource is = new InputSource(sr);
  • weixin-java-pay/src/main/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResult.java+1 0 modified
    @@ -189,6 +189,7 @@ private Document getXmlDoc() {
     try {
       final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
       factory.setExpandEntityReferences(false);
+      factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       this.xmlDoc = factory.newDocumentBuilder()
         .parse(new ByteArrayInputStream(this.xmlString.getBytes(StandardCharsets.UTF_8)));
       return xmlDoc;
  • weixin-java-pay/src/test/java/com/github/binarywang/wxpay/bean/result/BaseWxPayResultTest.java+3 1 modified
    @@ -75,7 +75,9 @@ public void testToMap() throws Exception {
   @Test(expectedExceptions = {RuntimeException.class})
   public void testToMap_with_empty_xmlString() {
     WxPayOrderQueryResult result = new WxPayOrderQueryResult();
-    result.setXmlString(" ");
+    result.setXmlString( "<?xml version=\"1.0\" ?><!DOCTYPE doc " +
+      "[<!ENTITY win SYSTEM \"file:///C:/Users/user/Documents/testdata2.txt\">]" +
+      "><doc>&win;</doc>");
     Map<String, String> map = result.toMap();
     System.out.println(map);
   }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.