VYPR
Get started
← All advisories
High severityGHSA Advisory· Published Sep 10, 2025· Updated Sep 29, 2025

xml2rfc is vulnerable to arbitrary file reads through prepped files

CVE-2025-11059

Description

Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

Workarounds

Test untrusted input with link elements with rel="attachment" before processing.

References

This is related to GHSA-cfmv-h8fx-85m7.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
xml2rfcPyPI
< 3.30.23.30.2

Affected products

1

Patches

1
73fb1c91fc62

fix: Add sanitize step to the parser

https://github.com/ietf-tools/xml2rfcKesara RathnayakeSep 8, 2025via ghsa
commit
3 files changed · +9 4
  • xml2rfc/parser.py+5 0 modified
    @@ -755,6 +755,11 @@ def getroot(self):
     def getpis(self):
         """ Returns a list of the XML processing instructions """
         return self.pis.copy()
+
+    def sanitize(self):
+        """ Sanitize the document """
+        # Strip link attachments
+        xml2rfc.utils.strip_link_attachments(self.tree)
     
     def validate(self, dtd_path=None):
         """ Validate the document with its default dtd, or an optional one
  • xml2rfc/run.py+3 0 modified
    @@ -577,6 +577,9 @@ def main():
             xml2rfc.log.exception('Unable to validate the XML document: ' + args[0], errors)
             sys.exit(1)
 
+    # sanitize the document
+    xmlrfc.sanitize()
+
     if options.filename:
         xml2rfc.log.warn("The -f and --filename options are deprecated and will"
                         " go away in version 3.0 of xml2rfc.  Use -o instead")
  • xml2rfc/writers/base.py+1 4 modified
    @@ -28,7 +28,7 @@
 from xml2rfc.util.file import can_access, FileAccessError
 from xml2rfc.util.name import short_author_ascii_name_parts, full_author_name_expansion, short_author_name_parts
 from xml2rfc.util.unicode import is_svg
-from xml2rfc.utils import namespaces, find_duplicate_ids, slugify, strip_link_attachments
+from xml2rfc.utils import find_duplicate_ids, namespaces, slugify
 
 
 SUBSERIES = {
@@ -2117,9 +2117,6 @@ def validate(self, when='', warn=False):
         # a duplicate xsd:ID attribute.  So we check all attributes with
         # content specified as xsd:ID first, and give better messages:
 
-        # Strip link attachments
-        strip_link_attachments(self.tree)
-
         # Get the attributes we need to check
         if when and not when.startswith(' '):
             when = ' '+when

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.