Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-q7m8-uhma-kudz
Vulnerability ID VCID-q7m8-uhma-kudz
Aliases CVE-2022-25024
GHSA-8rj5-2857-877j
PYSEC-2023-149
Summary The json2xml package through 3.12.0 for Python allows an error in typecode decoding enabling a remote attack that can lead to an exception, causing a denial of service.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-248 Uncaught Exception
CWE-754 Improper Check for Unusual or Exceptional Conditions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2022-25024
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2022-25024
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2022-25024
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8rj5-2857-877j
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml
cvssv4 8.7 https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml
cvssv3.1 7.5 https://github.com/vinitkumar/json2xml
cvssv4 8.7 https://github.com/vinitkumar/json2xml
generic_textual HIGH https://github.com/vinitkumar/json2xml
cvssv3.1 7.5 https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b
cvssv4 8.7 https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b
generic_textual HIGH https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b
cvssv3.1 7.5 https://github.com/vinitkumar/json2xml/issues/106
cvssv4 8.7 https://github.com/vinitkumar/json2xml/issues/106
generic_textual HIGH https://github.com/vinitkumar/json2xml/issues/106
ssvc Track https://github.com/vinitkumar/json2xml/issues/106
cvssv3.1 7.5 https://github.com/vinitkumar/json2xml/pull/107
cvssv4 8.7 https://github.com/vinitkumar/json2xml/pull/107
generic_textual HIGH https://github.com/vinitkumar/json2xml/pull/107
ssvc Track https://github.com/vinitkumar/json2xml/pull/107
cvssv3.1 7.5 https://github.com/vinitkumar/json2xml/pull/107/files
cvssv4 8.7 https://github.com/vinitkumar/json2xml/pull/107/files
generic_textual HIGH https://github.com/vinitkumar/json2xml/pull/107/files
ssvc Track https://github.com/vinitkumar/json2xml/pull/107/files
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2022-25024
cvssv4 8.7 https://nvd.nist.gov/vuln/detail/CVE-2022-25024
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2022-25024
cvssv3.1 7.5 https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads
cvssv4 8.7 https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads
generic_textual HIGH https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads
ssvc Track https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads/
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-25024
https://github.com/advisories/GHSA-8rj5-2857-877j
https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml
https://github.com/vinitkumar/json2xml
https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b
https://nvd.nist.gov/vuln/detail/CVE-2022-25024
https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads
106 https://github.com/vinitkumar/json2xml/issues/106
107 https://github.com/vinitkumar/json2xml/pull/107
analyzing-pypi-package-downloads https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads/
files https://github.com/vinitkumar/json2xml/pull/107/files
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/json2xml/PYSEC-2023-149.yaml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/vinitkumar/json2xml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/vinitkumar/json2xml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/vinitkumar/json2xml/commit/a9cd75b61329801b47a8fba7473bce6c85a38b9b
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/vinitkumar/json2xml/issues/106
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/vinitkumar/json2xml/issues/106
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T17:46:20Z/ Found at https://github.com/vinitkumar/json2xml/issues/106
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/vinitkumar/json2xml/pull/107
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/vinitkumar/json2xml/pull/107
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T17:46:20Z/ Found at https://github.com/vinitkumar/json2xml/pull/107
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/vinitkumar/json2xml/pull/107/files
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/vinitkumar/json2xml/pull/107/files
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T17:46:20Z/ Found at https://github.com/vinitkumar/json2xml/pull/107/files
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25024
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25024
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-03T17:46:20Z/ Found at https://packaging.python.org/en/latest/guides/analyzing-pypi-package-downloads/
Exploit Prediction Scoring System (EPSS)
Percentile 0.3302
EPSS Score 0.00134
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:36:11.972230+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2022/25xxx/CVE-2022-25024.json 38.6.0