CVE-2024-36827

Vulnerability

CVE-2024-36827 is an XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of the ebookmeta Python library before version 1.2.8. The library processes XML metadata from ebook files (epub, fb2) without properly disabling external entity resolution, allowing an attacker to inject malicious XML content [1][2].

Exploitation

An attacker can exploit this by crafting an ebook file with a malicious XML payload (e.g., containing an external entity reference to a local file or a recursive entity expansion). When a user or application calls ebookmeta.get_metadata() on the crafted file, the vulnerable lxml parser (versions < 4.9.1) processes the XML, enabling the attack [1][4]. No authentication is required, as the vulnerability is triggered during metadata extraction from untrusted files.

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem (e.g., /etc/passwd, configuration files) or cause a Denial of Service (DoS) through entity expansion (e.g., the "billion laughs" attack) [1][3]. The impact depends on the context where the library is used; for automated processing of uploaded ebook files, this could lead to information disclosure or service disruption.

Mitigation

Users should upgrade ebookmeta to version 1.2.8 or later, which fixes the XXE by disabling external entity processing. Additionally, ensure that the underlying lxml library is version 4.9.1 or newer, as earlier versions are also vulnerable [3][4]. No workarounds are documented, so updating is the recommended course of action.