CVE-2025-9375
BaseFortify
Publication date: 2025-09-01
Last updated on: 2026-04-20
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| martinblech | xmltodict | 0.14.2 |
| martinblech | xmltodict | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9375 is an XML Injection vulnerability in the xmltodict Python module version 0.14.2. The issue occurs because user-supplied dictionary keys are directly used as XML tag names in the module's _emit function without any validation or sanitization. This allows attackers to inject arbitrary and potentially malicious XML markup into the generated XML output by crafting dictionary keys that break the intended XML structure. [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to inject malicious XML content into your XML output when using xmltodict.unparse() with untrusted input. This can lead to manipulation of XML data structures, potentially causing incorrect processing, data corruption, or security issues in applications relying on the XML output. Since there is no patch or mitigation currently available, systems using xmltodict 0.14.2 are exposed to this risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for XML outputs generated by xmltodict.unparse() that contain unexpected or malformed XML tags, especially those derived from user input dictionary keys. Since the vulnerability involves injection via unsanitized dictionary keys used as XML tag names, inspecting logs or outputs for suspicious XML elements or tags that break XML structure may help detect exploitation attempts. Additionally, reviewing source code or runtime behavior for usage of xmltodict version 0.14.2 and unparse() calls with user-controlled input is recommended. Specific commands are not provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Currently, there is no patch or mitigation available for this vulnerability in xmltodict version 0.14.2. Immediate steps include avoiding the use of xmltodict.unparse() with untrusted or user-supplied dictionary keys, implementing input validation or sanitization on dictionary keys before passing them to unparse(), and monitoring for suspicious activity. Consider isolating or restricting access to services using this module to reduce exposure until a fix is released. [2]