Infinite loop within Apache XercesJ xml parser
Description
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache XercesJ XML parser versions ≤2.12.1 are vulnerable to an infinite loop via specially crafted XML, causing prolonged resource consumption.
Vulnerability
Apache Xerces Java (XercesJ) XML parser versions 2.12.1 and earlier contain a vulnerability that causes an infinite loop when processing specially crafted XML document payloads [1]. The bug resides in the parser's handling of malformed or deeply nested XML structures, leading to uncontrolled iteration without termination [3].
Exploitation
An attacker can exploit this vulnerability by sending a crafted XML document to any application that uses the vulnerable XercesJ parser to parse untrusted XML input [1]. No authentication or special network position is required; the attack is remote and can be delivered via HTTP, file upload, or any other mechanism that feeds XML to the parser [3]. The parser enters an infinite loop upon encountering the malicious payload, consuming CPU and memory resources indefinitely.
Impact
Successful exploitation results in a denial-of-service (DoS) condition. The infinite loop causes the parser to hang, consuming system resources (CPU and memory) for a prolonged duration, potentially leading to application unresponsiveness or crash [1][3]. The impact is limited to availability; no data confidentiality or integrity is compromised.
Mitigation
Apache released version 2.12.2 to fix this vulnerability [3]. Users should upgrade to 2.12.2 or later. If upgrading is not immediately possible, consider using an alternative XML parser or applying input validation to reject malformed XML documents. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
xerces:xercesImplMaven | < 2.12.2 | 2.12.2 |
Affected products
43- ghsa-coords42 versionspkg:maven/xerces/xercesImplpkg:rpm/opensuse/ruby3.2-rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-nokogiri&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/xerces-j2&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/xerces-j2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/xerces-j2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/xerces-j2&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/xerces-j2&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/xerces-j2&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/xerces-j2&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/xerces-j2&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/xerces-j2&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/xerces-j2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.12.2+ 41 more
- (no CPE)range: < 2.12.2
- (no CPE)range: < 1.13.9-1.7
- (no CPE)range: < 1.13.4-1.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.2-1.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-238.29.8.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-238.29.8.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.11.0-4.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.12.0-3.3.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- (no CPE)range: < 2.8.1-268.9.1
- Apache Software Foundation/Apache Xercesv5Range: Apache XercesJ
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-h65f-jvqw-m9fjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23437ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/24/3ghsamailing-listWEB
- lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dlghsaWEB
- security.netapp.com/advisory/ntap-20221028-0005ghsaWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsaWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsaWEB
- security.netapp.com/advisory/ntap-20221028-0005/mitre
News mentions
0No linked articles in our index yet.