Skip to content

XXE in W3C CSS Validator

High
ylafon published GHSA-3cw9-q7j2-c5jq Jun 27, 2025

Package

No package listed

Affected versions

< https://github.com/w3c/css-validator/commit/0cf8f6a3d122fabdb181c1eb38f0bae5881b0303

Patched versions

https://github.com/w3c/css-validator/commit/0cf8f6a3d122fabdb181c1eb38f0bae5881b0303

Description

Impact

XML External Entity Injection, followup to GHSA-745m-xmq6-g6x7

Patches

0cf8f6a

Workarounds

Disable XML documents, parse only HTML and CSS documents, or use patched versions

Severity

High

CVE ID

CVE-2025-1781

Weaknesses

No CWEs

Credits