CVE-2025-11059

Impact

When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML.

Workarounds

Test untrusted input with link elements with rel="attachment" before processing.

References

This is related to GHSA-cfmv-h8fx-85m7.

Published: Sep 10, 2025
Updated: Sep 30, 2025
CVE: CVE-2025-11059
GHSA: GHSA-9mv7-3c64-mmqw
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
xml2rfc	-	3.30.2

https://github.com/ietf-tools/xml2rfc/commit/73fb1c91fc62ac540bb6bd24f982f2becf84c1b0
https://github.com/ietf-tools/xml2rfc/releases/tag/v3.30.2
https://github.com/ietf-tools/xml2rfc/security/advisories/GHSA-9mv7-3c64-mmqw

Vulnerability Database

CVE-2025-11059

Impact

Workarounds

References

Deep Security Visibility Without the Complexity