CVE-2025-9375: 
Linux Debian vulnerability analysis and mitigation

XML Injection vulnerability (CVE-2025-9375) affects xmltodict version 0.14.2, discovered on July 24, 2025, and publicly disclosed on September 1, 2025. The vulnerability allows attackers to perform XML Injection by crafting dictionary keys that are inserted directly as XML tag names without validation or sanitization (Fluid Attacks).

The vulnerability exists in the emit function of xmltodict.py (lines 378-451) where dictionary keys from user input are used directly as XML tag names in the contenthandler.startElement() call without any validation or sanitization. This enables attackers to inject arbitrary XML elements or break the structure of the generated XML document. The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (Fluid Attacks).

The vulnerability allows attackers to inject arbitrary and potentially malicious XML markup into the generated output. This can lead to XML Injection attacks when the library is used in web applications that process XML data using xmltodict.unparse() (Fluid Attacks).

Currently, there is no patch available for this vulnerability in xmltodict version 0.14.2 (Fluid Attacks).

The vulnerability was discovered by Camilo Vera from Fluid Attacks' Offensive Team. After discovery on July 24, 2025, the vendor was contacted on August 22, 2025, followed by public disclosure on September 1, 2025 (Fluid Attacks).