GHSA-cfmv-h8fx-85m7: 
Python vulnerability analysis and mitigation

The vulnerability (GHSA-cfmv-h8fx-85m7) affects xml2rfc package versions 3.30.0 and below. This arbitrary file read vulnerability was discovered by Mohamed Ouad from Doyensec and was published on August 26, 2025. The issue has been patched in version 3.30.1 (GitHub Advisory).

The vulnerability is classified as a Path Traversal issue (CWE-22) with a high severity CVSS score of 8.7. The vulnerability allows attackers to read arbitrary files from the filesystem through malicious link element injection in XML when generating PDF files. The CVSS metrics indicate that the vulnerability can be exploited over the network, requires low attack complexity, and needs no privileges or user interaction (GitHub Advisory).

When successfully exploited, this vulnerability has a high impact on confidentiality as it allows unauthorized access to read arbitrary files from the filesystem. The vulnerability does not affect the integrity or availability of the system (GitHub Advisory).

The primary mitigation is to upgrade to xml2rfc version 3.30.1 which includes the security fix. As a workaround, users should test untrusted input with link elements containing rel='attachment' before processing. The patch implements a fix that strips link attachments and prevents unauthorized file access (GitHub Commit).