CVE-2025-11058: xml2rfc has an arbitrary file read vulnerability

August 26, 2025 (updated September 29, 2025)

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the XML.

References

github.com/advisories/GHSA-cfmv-h8fx-85m7
github.com/ietf-tools/xml2rfc
github.com/ietf-tools/xml2rfc/commit/f2b245bc0aeeac0667c8f74e976c466c5991f0e4
github.com/ietf-tools/xml2rfc/security/advisories/GHSA-cfmv-h8fx-85m7
nvd.nist.gov/vuln/detail/CVE-2025-11058

Code Behaviors & Features

Detect and mitigate CVE-2025-11058 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →