Moderate severityOSV Advisory· Published Dec 25, 2022· Updated Aug 3, 2024

docconv XMLToText memory allocation

CVE-2022-4741

Description

Docconv before 1.2.0 has uncontrolled memory allocation in document conversion functions, enabling remote denial of service via crafted files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Docconv before 1.2.0 has uncontrolled memory allocation in document conversion functions, enabling remote denial of service via crafted files.

Vulnerability

CVE-2022-4741 is a vulnerability in docconv versions up to 1.2.0, affecting the ConvertDocx, ConvertODT, ConvertPages, ConvertXML, and XMLToText functions. The root cause is that these functions read the entire input into memory without a size limit, leading to uncontrolled memory allocation when processing large or specially crafted documents [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a malicious document to a service using docconv, such as the docd HTTP server or any application integrating the library [3]. No authentication is required if the service is exposed. The attack vector involves providing a document that triggers the reading of excessive data into memory.

Impact

Successful exploitation results in memory exhaustion on the target system, potentially causing a denial of service (DoS) condition. The vulnerability is classified as problematic with a CVSS score not yet assigned, but the impact is limited to resource consumption [1].

Mitigation

The issue is fixed in docconv version 1.2.1, released on GitHub [2]. The patch introduces a 20 MB limit on input size using io.LimitReader [4]. Users should upgrade to version 1.2.1 or apply the commit 42bcff6. No workaround is available other than limiting access to trusted inputs.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/sajari/docconvGo	< 1.2.1	1.2.1
code.sajari.com/docconvGo	< 1.2.1	1.2.1

Affected products

Sajari/DocconvOSV
Range: v1.0.0, v1.1.0, v1.2.0
ghsa-coords2 versions
pkg:golang/code.sajari.com/docconv pkg:golang/github.com/sajari/docconv
< 1.2.1+ 1 more
- (no CPE)range: < 1.2.1
- (no CPE)range: < 1.2.1

Patches

42bcff666855

fix unbounded memory consumption vulnerability (#111)

https://github.com/sajari/docconvHelena MarianoJul 18, 2022via ghsa

commit

5 files changed · +8 −5

docx.go+1 −1 modified

@@ -40,7 +40,7 @@ func ConvertDocx(r io.Reader) (string, map[string]string, error) {
 		size = si.Size()
 		ra = f
 	} else {
-		b, err := ioutil.ReadAll(r)
+		b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
 		if err != nil {
 			return "", nil, nil
 		}

limit.go+3 −0 added

@@ -0,0 +1,3 @@
+package docconv
+
+const maxBytes = 20 << 20 // 20MB

odt.go+1 −1 modified

@@ -14,7 +14,7 @@ func ConvertODT(r io.Reader) (string, map[string]string, error) {
 	meta := make(map[string]string)
 	var textBody string
 
-	b, err := ioutil.ReadAll(r)
+	b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
 	if err != nil {
 		return "", nil, err
 	}

pages.go+1 −1 modified

@@ -21,7 +21,7 @@ func ConvertPages(r io.Reader) (string, map[string]string, error) {
 	meta := make(map[string]string)
 	var textBody string
 
-	b, err := ioutil.ReadAll(r)
+	b, err := ioutil.ReadAll(io.LimitReader(r, maxBytes))
 	if err != nil {
 		return "", nil, fmt.Errorf("error reading data: %v", err)
 	}

xml.go+2 −2 modified

@@ -25,7 +25,7 @@ func ConvertXML(r io.Reader) (string, map[string]string, error) {
 func XMLToText(r io.Reader, breaks []string, skip []string, strict bool) (string, error) {
 	var result string
 
-	dec := xml.NewDecoder(r)
+	dec := xml.NewDecoder(io.LimitReader(r, maxBytes))
 	dec.Strict = strict
 	for {
 		t, err := dec.Token()
@@ -76,7 +76,7 @@ func XMLToText(r io.Reader, breaks []string, skip []string, strict bool) (string
 // XMLToMap converts XML to a nested string map.
 func XMLToMap(r io.Reader) (map[string]string, error) {
 	m := make(map[string]string)
-	dec := xml.NewDecoder(r)
+	dec := xml.NewDecoder(io.LimitReader(r, maxBytes))
 	var tagName string
 	for {
 		t, err := dec.Token()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/sajari/docconv/commit/42bcff666855ab978e67a9041d0cdea552f20301ghsapatchWEB
github.com/sajari/docconv/releases/tag/v1.2.1ghsapatchWEB
github.com/advisories/GHSA-qvx2-59g8-8hphghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-4741ghsaADVISORY
github.com/sajari/docconv/pull/111ghsaissue-trackingWEB
pkg.go.dev/vuln/GO-2022-1188ghsaWEB
vuldb.comghsasignaturepermissions-requiredWEB
vuldb.comghsavdb-entrytechnical-descriptionWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000