Server-Side Request Forgery Information Disclosure Vulnerability
Description
Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SSRF vulnerability in Apache Batik 1.14 allows attackers to load URLs via the jar protocol, potentially leading to information disclosure.
Vulnerability
CVE-2022-38398 is a Server-Side Request Forgery (SSRF) vulnerability in Apache XML Graphics Batik 1.14. The issue arises because the DefaultExternalResourceSecurity class does not block the jar: protocol when loading external resources. This allows an attacker to craft SVG files that reference URLs using the jar: scheme, which Batik will fetch without proper validation [1][2].
Exploitation
An attacker can exploit this vulnerability by supplying a malicious SVG document to a Batik-based application (e.g., SVG viewer, converter, or server-side rendering engine). No authentication or special privileges are required; the attack only requires the application to process the crafted SVG. The jar: protocol can be used to access remote resources, potentially reaching internal networks or local file system paths [1].
Impact
Successful exploitation allows an attacker to perform SSRF, enabling them to scan internal networks, access cloud metadata endpoints, or retrieve sensitive files if the Batik instance has sufficient permissions. This could lead to information disclosure and further compromise of internal services [1][4].
Mitigation
The vulnerability is fixed in Apache Batik version 1.15, where the jar: protocol is blocked by default. Users are strongly advised to upgrade to Batik 1.15 or later. No workaround is available for earlier versions [2][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.xmlgraphics:batikMaven | >= 1.14, < 1.15 | 1.15 |
org.apache.xmlgraphics:batik-bridgeMaven | >= 1.14, < 1.15 | 1.15 |
Affected products
4- ghsa-coords3 versionspkg:maven/org.apache.xmlgraphics/batikpkg:maven/org.apache.xmlgraphics/batik-bridgepkg:rpm/suse/xmlgraphics-batik&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
>= 1.14, < 1.15+ 2 more
- (no CPE)range: >= 1.14, < 1.15
- (no CPE)range: >= 1.14, < 1.15
- (no CPE)range: < 1.17-2.7.1
- Apache Software Foundation/Apache XML Graphicsv5Range: Batik 1.14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-c5xv-qc8p-mh2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-38398ghsaADVISORY
- security.gentoo.org/glsa/202401-11ghsavendor-advisoryWEB
- issues.apache.org/jira/browse/BATIK-1331ghsaWEB
- lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsxghsaWEB
- lists.debian.org/debian-lts-announce/2023/10/msg00021.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00006.htmlghsaWEB
News mentions
0No linked articles in our index yet.