XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[Home] [By Thread] [By Date] [Recent Entries]

Subject: Re: Saxon vulnerability
From: "Dimitre Novatchev dnovatchev@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 7 Mar 2025 21:08:19 -0000
Is a call to parse-xml being done "behind the scene" by any popular
applications that might be using Saxon internally, such as Oxygen and or
some XSLT/XPath extensions to VS.Code?

If so, we should probably also be cautious to use these, before this
vulnerability has been fixed and they confirm that they are no-longer
using the affected previous versions of Saxon.

Thanks,
Dimitre.

On Fri, Mar 7, 2025 at 12:09b/PM Michael Kay michaelkay90@xxxxxxxxx <
xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> wrote:

> If you are using Saxon to run untrusted XSLT or XQuery code, please note
> the security vulnerability in parse-xml() identified by @Martin Honnen  at
> https://saxonica.plan.io/issues/6711, and apply the workaround noted in
> comment #12.
>
> The effect of the vulnerability is to allow an attacker to execute a
> malicious call on parse-xml() that reads filestore on the host machine. The
> normal JAXP configuration settings to prevent such access have no effect on
> this path.
>
> The problem affects all releases of SaxonJ and SaxonC, we have yet to
> assess the situation with SaxonCS.
>
> Michael Kay
> Saxonica
Current Thread
<- PreviousIndexNext ->
Saxon vulnerability, Michael Kay michaelk Thread Re: Saxon vulnerability, Michael Kay michaelk
Saxon vulnerability, Michael Kay michaelk Date Re: Saxon vulnerability, Michael Kay michaelk
Month

XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member