GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities

February 7, 2025 (updated October 31, 2025)

Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag. This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references.

It was discovered that xml2rfc does not respect --allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access flag.

The xml2rfc <= 3.26.0 behaviour:

	`xinclude`	XML entity reference	`artwork src=`	`sourcecode src=`
without `--allow-local-file-access` flag	No filesystem access	Any file in xml2rfc templates dir and below, any file in source directory and below	Access source directory and below	Access source directory and below
with `--allow-local-file-access` flag	Access any file on filesystem¹	Access any file on filesystem¹	Access source directory and below	Access source directory and below

Access any file of the filesystem with the permissions of the user running xml2rfc can access. ↩︎ ↩︎

References

Code Behaviors & Features

Detect and mitigate GHSA-432c-wxpg-m4q3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →