CVE-2024-36827 – An XML External Entity (XXE) vulnerability in e... (How to Fix)

📋 TL;DR

An XML External Entity (XXE) vulnerability in ebookmeta's get_metadata function allows attackers to read sensitive files from the server or cause denial of service via malicious XML input. This affects any application using ebookmeta library versions before 1.2.8 to parse untrusted XML data.

💻 Affected Systems

Products:

ebookmeta

Versions: All versions before 1.2.8

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability only triggers when processing untrusted XML input through the get_metadata function.

📦 What is this software?

Ebookmeta by Dnkorpushov

View all CVEs affecting Ebookmeta →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file disclosure including sensitive configuration files, credentials, or SSH keys, potentially leading to full system compromise.

🟠

Likely Case

Limited file disclosure from the application's context, potentially exposing metadata or configuration files, or causing application crashes.

🟢

If Mitigated

No impact if XML parsing is disabled for external entities or if input is properly sanitized before processing.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with many public exploit examples available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.8

Vendor Advisory: https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335

Restart Required: No

Instructions:

1. Update ebookmeta to version 1.2.8 or later using pip: pip install --upgrade ebookmeta==1.2.8
2. Verify the update completed successfully
3. Test XML parsing functionality

🔧 Temporary Workarounds

Disable XML external entity processing

all

Configure XML parser to disable external entity resolution before parsing untrusted XML

parser = etree.XMLParser(resolve_entities=False)

Input validation and sanitization

all

Validate and sanitize XML input before passing to get_metadata function

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check ebookmeta version: python -c "import ebookmeta; print(ebookmeta.__version__)"

Check Version:

python -c "import ebookmeta; print(ebookmeta.__version__)"

Verify Fix Applied:

Verify version is 1.2.8 or higher and test with known XXE payloads

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from XML parsing functions
Application crashes during XML processing
Large XML payloads with external entity references

Network Indicators:

XML payloads containing SYSTEM or PUBLIC declarations
Requests to internal file paths from XML parsers

SIEM Query:

source="application.logs" AND ("XXE" OR "external entity" OR "DOCTYPE")

📊 Metadata

CVE ID: CVE-2024-36827

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-611

Published: June 7, 2024

Last Updated: March 28, 2025

🔗 References

https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335 Issue Tracking,Third Party Advisory
https://github.com/dnkorpushov/ebookmeta/issues/16#issue-2317712335 Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36827, you might also want to check these: