Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-643 (XPath表达式中数据转义处理不恰当(XPath注入)) — Vulnerability Class 11

11 vulnerabilities classified as CWE-643 (XPath表达式中数据转义处理不恰当(XPath注入)). AI Chinese analysis included.

CWE-643 represents a critical input validation weakness where applications fail to sanitize external data before embedding it into XPath queries. This vulnerability typically arises when user-supplied strings are directly concatenated into dynamic XPath expressions without proper escaping or parameterization. Attackers exploit this flaw by injecting malicious XPath syntax, effectively altering the query’s logical structure to bypass authentication mechanisms or extract sensitive data from XML databases. To mitigate this risk, developers must strictly avoid dynamic query construction using unsanitized input. Instead, they should employ parameterized queries or prepared statements that treat user input as data rather than executable code. Additionally, implementing robust input validation and using whitelisting techniques ensures that only expected characters are processed, thereby neutralizing potential injection vectors and preserving the integrity of the underlying XML data retrieval process.

MITRE CWE Description
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query. The net effect is that the attacker will have control over the information selected from the XML database and may use that ability to control application flow, modify logic, retrieve unauthorized data, or bypass important checks (e.g. authentication).
Common Consequences (2)
Access ControlBypass Protection Mechanism
Controlling application flow (e.g. bypassing authentication).
ConfidentialityRead Application Data
The attacker could read restricted XML content.
Mitigations (2)
ImplementationUse parameterized XPath queries (e.g. using XQuery). This will help ensure separation between data plane and control plane.
ImplementationProperly validate user input. Reject data where appropriate, filter where appropriate and escape where appropriate. Make sure input that will be used in XPath queries is safe in that context.
Examples (1)
Consider the following simple XML document that stores authentication information and a snippet of Java code that uses XPath query to retrieve authentication information:
<users> <user> <login>john</login> <password>abracadabra</password> <home_dir>/home/john</home_dir> </user> <user> <login>cbc</login> <password>1mgr8</password> <home_dir>/home/cbc</home_dir> </user> </users>
Informative · XML
XPath xpath = XPathFactory.newInstance().newXPath(); XPathExpression xlogin = xpath.compile("//users/user[login/text()='" + login.getUserName() + "' and password/text() = '" + login.getPassword() + "']/home_dir/text()"); Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new File("db.xml")); String homedir = xlogin.evaluate(d);
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-24343 Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions — Apache HertzBeat 9.4AICriticalAI2026-02-10
CVE-2025-11844 XPath Injection in Hugging Face Smolagents search_item_ctrl_f Function — huggingface/smolagents 9.1AICriticalAI2025-10-22
CVE-2025-20218 Cisco Secure Firepower Management Center Software XPATH Injection Vulnerability — Cisco Firepower Management Center 4.9 Medium2025-08-14
CVE-2022-43840 IBM Aspera Console XPath injection — Aspera Console 4.3 Medium2025-04-14
CVE-2024-39565 Junos OS: J-Web: An unauthenticated, network-based attacker can perform XPATH injection attack against a device. — Junos OS 8.8 High2024-07-10
CVE-2024-2648 Netentsec NS-ASG Application Security Gateway naccheck.php xpath injection — NS-ASG Application Security Gateway 4.3 Medium2024-03-19
CVE-2024-2645 Netentsec NS-ASG Application Security Gateway resetpwd.php xpath injection — NS-ASG Application Security Gateway 4.3 Medium2024-03-19
CVE-2023-36429 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability — Microsoft Dynamics 365 (on-premises) version 9.0 6.5 Medium2023-10-10
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability — Microsoft Dynamics 365 (on-premises) version 9.0 6.5 Medium2023-10-10
CVE-2023-24922 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability — Microsoft Dynamics 365 (on-premises) version 9.0 6.5 Medium2023-03-14
CVE-2020-25162 B. Braun SpaceCom, Battery Pack SP with Wi-Fi, and Data module compactplus — SpaceCom 7.5 High2022-04-14

Vulnerabilities classified as CWE-643 (XPath表达式中数据转义处理不恰当(XPath注入)) represent 11 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.