GHSA-9mv7-3c64-mmqw: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-9mv7-3c64-mmqw) affects xml2rfc package versions below 3.30.2, discovered and disclosed in September 2025. This high-severity security flaw in xml2rfc allows attackers to perform arbitrary file reads through prepped files when generating PDF documents. The vulnerability was identified in the IETF Tools' xml2rfc package and received a CVSS score of 8.7 (GitHub Advisory).

The vulnerability is classified as a Path Traversal issue (CWE-22), where the application fails to properly restrict pathname limitations within a restricted directory. The vulnerability has a CVSS v4 base score of 8.7, with metrics indicating Network attack vector, Low attack complexity, No attack requirements, No privileges required, and No user interaction needed. The vulnerability primarily impacts system confidentiality with High severity, while Integrity and Availability remain unaffected (GitHub Advisory).

When exploited, the vulnerability enables attackers to read arbitrary files from the filesystem by injecting malicious link elements into the prepped RFCXML during PDF file generation. This poses a significant security risk as it could lead to unauthorized access to sensitive system files (GitHub Advisory).

The vulnerability has been patched in version 3.30.2 of xml2rfc. The fix includes adding a sanitize step to the parser and implementing proper handling of link attachments. For users unable to update immediately, a workaround is available: test untrusted input with link elements containing rel='attachment' before processing (GitHub Release, GitHub Commit).