GHSA-9mv7-3c64-mmqw: xml2rfc is vulnerable to arbitrary file reads through prepped files

September 10, 2025

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

References

github.com/advisories/GHSA-9mv7-3c64-mmqw
github.com/ietf-tools/xml2rfc
github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0
github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2
github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw

Code Behaviors & Features

Detect and mitigate GHSA-9mv7-3c64-mmqw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →