Login Sign Up

CVE-2019-5312

9.8 CRITICAL
XXE

📋 TL;DR

This vulnerability allows XML External Entity (XXE) attacks in weixin-java-tools v3.3.0, enabling attackers to read arbitrary files, perform server-side request forgery, or potentially execute remote code. It affects applications using this library for WeChat payment processing. The vulnerability exists due to incomplete fixes for a previous XXE issue (CVE-2018-20318).

💻 Affected Systems

Products:
  • weixin-java-tools
Versions: v3.3.0 specifically (incomplete fix for CVE-2018-20318)
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the BaseWxPayResult.java getXmlDoc method for XML parsing of WeChat payment responses

📦 What is this software?

Wxjava by Wxjava Project

View all CVEs affecting Wxjava →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, complete system compromise, sensitive data exfiltration including payment information and server credentials

🟠

Likely Case

Arbitrary file read from the server, internal network reconnaissance via SSRF, potential denial of service

🟢

If Mitigated

Limited impact if XML parsing is disabled or properly configured with entity restrictions

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

XXE vulnerabilities are well-understood with many public exploit techniques; the GitHub issue shows specific vulnerable code patterns

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v3.3.0 with complete XXE fixes

Vendor Advisory: https://github.com/Wechat-Group/WxJava/issues/903

Restart Required: Yes

Instructions:

1. Update weixin-java-tools to latest version. 2. Verify XXE protection is enabled in XML parsers. 3. Restart affected applications.

🔧 Temporary Workarounds

Disable XXE in XML parser

all

Configure XML parsers to disable external entity processing

Set XML parser properties: FEATURE_SECURE_PROCESSING=true, disallow-doctype-decl=true

Input validation and filtering

all

Sanitize XML input before processing in getXmlDoc method

Implement XML schema validation or strip DOCTYPE declarations from input

🧯 If You Can't Patch

  • Implement network segmentation to isolate vulnerable systems from sensitive data
  • Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if using weixin-java-tools v3.3.0 and review BaseWxPayResult.java for insecure XML parser configuration

Check Version:

Check Maven/Gradle dependencies for com.github.binarywang:weixin-java-pay version

Verify Fix Applied:

Verify updated to version >3.3.0 and test with XXE payloads that should be rejected

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns from XML parsing components
  • XML parsing errors with external entity references
  • Unexpected outbound HTTP requests from payment processing

Network Indicators:

  • HTTP requests to internal resources from payment processing servers
  • Large XML payloads with DOCTYPE declarations

SIEM Query:

source="payment-server" AND (message="*DOCTYPE*" OR message="*ENTITY*" OR message="*SYSTEM*")

📊 Metadata

CVE ID: CVE-2019-5312
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-611
Published: January 4, 2019
Last Updated: September 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5312, you might also want to check these:

CVE-2019-14678 10.0

SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that allows attackers to read loc...

Same vulnerability type (CWE-611)
CVE-2015-9280 10.0

CVE-2015-9280 is an XML External Entity (XXE) vulnerability in MailEnable email server software. It ...

Same vulnerability type (CWE-611)
CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)