VulnerableCode Package Details - pkg:pypi/xml2rfc@3.27.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-96zb-v69y-7udq Aliases: CVE-2025-11059 GHSA-9mv7-3c64-mmqw	xml2rfc is vulnerable to arbitrary file reads through prepped files ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### References This is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).	3.30.2 Affected by 0 other vulnerabilities.
VCID-hzv3-nqaf-ckcx Aliases: CVE-2025-11058 GHSA-cfmv-h8fx-85m7	xml2rfc has an arbitrary file read vulnerability ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### Credits This vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).	3.30.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-96zb-v69y-7udq
Aliases:
CVE-2025-11059
GHSA-9mv7-3c64-mmqw

xml2rfc is vulnerable to arbitrary file reads through prepped files ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### References This is related to [GHSA-cfmv-h8fx-85m7](https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7).

3.30.2
Affected by 0 other vulnerabilities.

VCID-hzv3-nqaf-ckcx
Aliases:
CVE-2025-11058
GHSA-cfmv-h8fx-85m7

xml2rfc has an arbitrary file read vulnerability ### Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML. ### Workarounds Test untrusted input with `link` elements with `rel="attachment"` before processing. ### Credits This vulnerability was reported by Mohamed Ouad from [Doyensec](https://doyensec.com/).

3.30.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-7h51-2ny1-z7fd	xml2rfc has file inclusion irregularities Version [3.12.0](https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md#3120---2021-12-08) changed `xml2rfc` so that it would not access local files without the presence of its new `--allow-local-file-access` flag. This prevented XML External Entity (XXE) injection attacks with `xinclude` and XML entity references. It was discovered that `xml2rfc` does not respect `--allow-local-file-access` when a local file is specified as `src` in `artwork` or `sourcecode` elements. Furthermore, XML entity references can include any file inside the source dir and below without using the `--allow-local-file-access` flag. The `xml2rfc <= 3.26.0` behaviour: \| \| `xinclude` \| XML entity reference \| `artwork src=` \| `sourcecode src=` \| \|---\|---\|---\|---\|---\| \| without `--allow-local-file-access` flag \| No filesystem access \| Any file in xml2rfc templates dir and below, any file in source directory and below \| Access source directory and below \| Access source directory and below \| \| with `--allow-local-file-access` flag \| Access any file on filesystem[^1] \| Access any file on filesystem[^1] \| Access source directory and below \| Access source directory and below \| Access source directory and below \| [^1]: Access any file of the filesystem with the permissions of the user running `xml2rfc` can access. ### Impact Anyone running `xml2rfc` as a service that accepts input from external users is impacted by this issue. Specifying a file in `src` attribute in `artwork` or `sourcecode` elements will cause the contents of that file to appear in xml2rfc’s output results. But that file has to be inside the same directory as the XML input source file. For `artwork` and `sourcecode`, `xml2rfc` will not look above the source file directory. ### The proposed new behaviour - Generalize file access checks. - Only allow access to files within src dir and below. (xml entity include can access templates dir). - Always allow access to `templates_dir` for XML entity includes. New behaviour: \| \| `xinclude` \| XML entity reference \| `artwork src=` \| `sourcecode src=` \| \|---\|---\|---\|---\|---\| \| without `--allow-local-file-access` flag \| No filesystem access \| No filesystem access _(except for `templates_dir`)_ \| No filesystem access \| No filesystem access \| \| with `--allow-local-file-access` flag \| Access source directory and below \| Access source directory and below _(Can access`templates_dir`)._ \| Access source directory and below \| Access source directory and below \| ### Workarounds Use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.	GHSA-432c-wxpg-m4q3

Vulnerability

Summary

Aliases

VCID-7h51-2ny1-z7fd

xml2rfc has file inclusion irregularities Version [3.12.0](https://github.com/ietf-tools/xml2rfc/blob/main/CHANGELOG.md#3120---2021-12-08) changed `xml2rfc` so that it would not access local files without the presence of its new `--allow-local-file-access` flag. This prevented XML External Entity (XXE) injection attacks with `xinclude` and XML entity references. It was discovered that `xml2rfc` does not respect `--allow-local-file-access` when a local file is specified as `src` in `artwork` or `sourcecode` elements. Furthermore, XML entity references can include any file inside the source dir and below without using the `--allow-local-file-access` flag. The `xml2rfc <= 3.26.0` behaviour: | | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` | |---|---|---|---|---| | without `--allow-local-file-access` flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below | | with `--allow-local-file-access` flag | Access any file on filesystem[^1] | Access any file on filesystem[^1] | Access source directory and below | Access source directory and below | Access source directory and below | [^1]: Access any file of the filesystem with the permissions of the user running `xml2rfc` can access. ### Impact Anyone running `xml2rfc` as a service that accepts input from external users is impacted by this issue. Specifying a file in `src` attribute in `artwork` or `sourcecode` elements will cause the contents of that file to appear in xml2rfc’s output results. But that file has to be inside the same directory as the XML input source file. For `artwork` and `sourcecode`, `xml2rfc` will not look above the source file directory. ### The proposed new behaviour - Generalize file access checks. - Only allow access to files within src dir and below. (xml entity include can access templates dir). - Always allow access to `templates_dir` for XML entity includes. New behaviour: | | `xinclude` | XML entity reference | `artwork src=` | `sourcecode src=` | |---|---|---|---|---| | without `--allow-local-file-access` flag | No filesystem access | No filesystem access _(except for `templates_dir`)_ | No filesystem access | No filesystem access | | with `--allow-local-file-access` flag | Access source directory and below | Access source directory and below _(Can access`templates_dir`)._ | Access source directory and below | Access source directory and below | ### Workarounds Use a secure temporary directory to process un-trusted XML files, and do not reuse it for processing other XML documents.

GHSA-432c-wxpg-m4q3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T15:13:04.652592+00:00	GitLab Importer	Fixing	VCID-7h51-2ny1-z7fd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/xml2rfc/GHSA-432c-wxpg-m4q3.yml	38.6.0
2026-06-12T20:16:44.795668+00:00	GitLab Importer	Affected by	VCID-96zb-v69y-7udq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/xml2rfc/CVE-2025-11059.yml	38.6.0
2026-06-12T20:13:16.175247+00:00	GitLab Importer	Affected by	VCID-hzv3-nqaf-ckcx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/xml2rfc/CVE-2025-11058.yml	38.6.0
2026-06-12T07:53:31.691961+00:00	GithubOSV Importer	Fixing	VCID-7h51-2ny1-z7fd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-432c-wxpg-m4q3/GHSA-432c-wxpg-m4q3.json	38.6.0