GHSA-9mv7-3c64-mmqw: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-9mv7-3c64-mmqw) affects xml2rfc package versions below 3.30.2, discovered and disclosed in September 2025. This critical security flaw impacts the PDF generation functionality of xml2rfc, where the software fails to properly sanitize input in prepped RFCXML files (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 score of 8.7 (High severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The issue is classified as a Path Traversal vulnerability (CWE-22), where the application fails to properly limit pathname restrictions, allowing access to files outside the intended directory (GitHub Advisory).

When exploited, this vulnerability enables attackers to read arbitrary files from the filesystem through the manipulation of link elements in prepped RFCXML during PDF generation. The impact primarily affects the confidentiality of the system, with high potential for unauthorized access to sensitive files (GitHub Advisory).

The vulnerability has been patched in version 3.30.2 of xml2rfc. As a temporary workaround, users should test untrusted input with link elements containing rel='attachment' before processing. The fix involves adding a sanitize step to the parser, which strips link attachments (GitHub Release).