CVE-2020-25614: xmlquery lacks check for whether LoadURL response is in XML format, causing denial of service

October 7, 2022 (updated January 22, 2025)

xmlquery before 1.3.1 lacks a check for whether a LoadURL response is in the XML format, which allows attackers to cause a denial of service (SIGSEGV) at xmlquery.(*Node).InnerText or possibly have unspecified other impact.

References

github.com/advisories/GHSA-93m7-c69f-5cfj
github.com/antchfx/xmlquery
github.com/antchfx/xmlquery/commit/5648b2f39e8d5d3fc903c45a4f1274829df71821
github.com/antchfx/xmlquery/compare/v1.3.0...v1.3.1
github.com/antchfx/xmlquery/issues/39
nvd.nist.gov/vuln/detail/CVE-2020-25614
pkg.go.dev/vuln/GO-2020-0048

Code Behaviors & Features

Detect and mitigate CVE-2020-25614 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →