CVE-2025-9375
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-01

Last updated on: 2026-04-20

Assigner: Fluid Attacks

Description
XML Injection vulnerability in xmltodict allows Input Data Manipulation. This issue affects xmltodict: from 0.14.2 before 0.15.1. NOTE: the scope of this CVE is disputed by the vendor on the grounds that xmltodict.unparse() delegates element-name handling to Python's xml.sax.saxutils.XMLGenerator, and that XMLGenerator should be the component performing validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-01
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2025-09-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9375
EUVD
EUVD-2025-26350
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
martinblech xmltodict 0.14.2
martinblech xmltodict *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-91 The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9375 is an XML Injection vulnerability in the xmltodict Python module version 0.14.2. The issue occurs because user-supplied dictionary keys are directly used as XML tag names in the module's _emit function without any validation or sanitization. This allows attackers to inject arbitrary and potentially malicious XML markup into the generated XML output by crafting dictionary keys that break the intended XML structure. [2]

Impact Analysis

This vulnerability can impact you by allowing remote attackers to inject malicious XML content into your XML output when using xmltodict.unparse() with untrusted input. This can lead to manipulation of XML data structures, potentially causing incorrect processing, data corruption, or security issues in applications relying on the XML output. Since there is no patch or mitigation currently available, systems using xmltodict 0.14.2 are exposed to this risk. [2]

Detection Guidance

This vulnerability can be detected by monitoring for XML outputs generated by xmltodict.unparse() that contain unexpected or malformed XML tags, especially those derived from user input dictionary keys. Since the vulnerability involves injection via unsanitized dictionary keys used as XML tag names, inspecting logs or outputs for suspicious XML elements or tags that break XML structure may help detect exploitation attempts. Additionally, reviewing source code or runtime behavior for usage of xmltodict version 0.14.2 and unparse() calls with user-controlled input is recommended. Specific commands are not provided in the resources. [2]

Mitigation Strategies

Currently, there is no patch or mitigation available for this vulnerability in xmltodict version 0.14.2. Immediate steps include avoiding the use of xmltodict.unparse() with untrusted or user-supplied dictionary keys, implementing input validation or sanitization on dictionary keys before passing them to unparse(), and monitoring for suspicious activity. Consider isolating or restricting access to services using this module to reduce exposure until a fix is released. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart