Login Sign Up

CVE-2023-34194

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2023-34194 is a denial-of-service vulnerability in TinyXML's XML parser where a specially crafted XML document containing a null character after whitespace triggers an assertion failure, causing the application to crash. This affects all applications using TinyXML version 2.6.2 and earlier to parse untrusted XML input. The vulnerability is reachable through any XML parsing functionality in affected software.

💻 Affected Systems

Products:
  • TinyXML library
  • Any software using TinyXML for XML parsing
Versions: TinyXML through version 2.6.2
Operating Systems: All operating systems where TinyXML is used
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when parsing XML documents. Applications must use the affected TinyXML parsing functions with untrusted input.

📦 What is this software?

Tinyxml by Tinyxml Project

View all CVEs affecting Tinyxml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service for all users, potentially disrupting critical business functions if the application handles mission-critical XML processing.

🟠

Likely Case

Application crash when processing malicious XML input, resulting in temporary service unavailability until the process restarts.

🟢

If Mitigated

Minimal impact if XML input is validated/sanitized before parsing or if the application has proper crash recovery mechanisms.

🌐 Internet-Facing: HIGH if the application accepts XML input from untrusted sources over the internet, as exploitation requires only sending a crafted XML document.
🏢 Internal Only: MEDIUM if XML processing occurs internally, as exploitation still requires access to submit XML to the vulnerable component.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward - craft an XML document with specific null character placement. The vulnerability details are publicly documented in the source code references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.6.2 (check for updated releases)

Vendor Advisory: https://sourceforge.net/p/tinyxml/git/ci/master/tree/tinyxmlparser.cpp

Restart Required: Yes

Instructions:

1. Update TinyXML to a patched version. 2. Recompile any applications using TinyXML with the updated library. 3. Restart affected services. 4. For packaged distributions (Debian, Fedora), use system package managers to update.

🔧 Temporary Workarounds

Input Validation/Sanitization

all

Validate and sanitize XML input before passing to TinyXML parser, removing or rejecting documents containing null characters in problematic positions.

XML Pre-processing Filter

all

Implement a pre-processing step that scans XML for the specific vulnerability pattern (null character after whitespace in declaration) and rejects or sanitizes such documents.

🧯 If You Can't Patch

  • Implement strict input validation to reject XML documents containing null characters in the declaration section
  • Deploy application-level monitoring and automatic restart mechanisms to minimize downtime from potential crashes

🔍 How to Verify

Check if Vulnerable:

Check if your application uses TinyXML version 2.6.2 or earlier. For Linux systems: ldd /path/to/application | grep -i tinyxml; check package versions.

Check Version:

For source installations: check the tinyxml.h header file version. For packages: dpkg -l | grep tinyxml (Debian/Ubuntu) or rpm -qa | grep -i tinyxml (RHEL/Fedora).

Verify Fix Applied:

After updating, verify the TinyXML version is greater than 2.6.2. Test with a proof-of-concept XML document containing the vulnerability pattern to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs mentioning TinyXML
  • Assertion failure messages containing 'StringEqual' or 'TiXmlDeclaration::Parse'
  • Sudden process termination during XML processing

Network Indicators:

  • Multiple XML submission attempts followed by service unavailability
  • XML documents containing null characters in network captures

SIEM Query:

source="application.log" AND ("assertion failed" OR "TinyXML" OR "TiXmlDeclaration") AND ("crash" OR "terminated")

📊 Metadata

CVE ID: CVE-2023-34194
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: December 13, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34194, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)