Critical severity9.8NVD Advisory· Published Jan 17, 2022· Updated Apr 16, 2026

CVE-2022-0239

Description

corenlp is vulnerable to Improper Restriction of XML External Entity Reference

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
edu.stanford.nlp:stanford-corenlpMaven	< 4.4.0	4.4.0

Affected products

Stanford/Corenlp
cpe:2.3:a:stanford:corenlp:*:*:*:*:*:*:*:*
Range: <4.4.0

Patches

1940ffb938dc

Fix XML schema vulnerability

https://github.com/stanfordnlp/corenlpHaxatronJan 16, 2022via ghsa

commit

1 file changed · +1 −0

src/edu/stanford/nlp/util/XMLUtils.java+1 −0 modified

@@ -302,6 +302,7 @@ public static DocumentBuilder getValidatingXmlParser(File schemaFile) {
       DocumentBuilderFactory dbf = safeDocumentBuilderFactory();
 
       SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+      factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
       Schema schema = factory.newSchema(schemaFile);
       dbf.setSchema(schema);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/stanfordnlp/corenlp/commit/1940ffb938dc4f3f5bc5f2a2fd8b35aabbbae3ddnvdPatchThird Party AdvisoryWEB
huntr.dev/bounties/a717aec2-5646-4a5f-ade0-dadc25736ae3nvdExploitThird Party AdvisoryWEB
github.com/advisories/GHSA-75vw-3m5v-fprhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-0239ghsaADVISORY
github.com/stanfordnlp/CoreNLP/commit/f44e693882812b144e09d39850177ff0a1f8d16fghsaWEB
github.com/stanfordnlp/CoreNLP/pull/1242ghsaWEB
security.snyk.io/vuln/SNYK-JAVA-EDUSTANFORDNLP-2342121ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000