CVE-2023-34411 Overview
CVE-2023-34411 is a denial of service vulnerability affecting the xml-rs crate for Rust. The vulnerability allows attackers to trigger a panic condition through specially crafted XML documents containing invalid <! tokens, such as malformed DOCTYPE declarations with improper nesting (e.g., <!DOCTYPEs/%<!A). This input validation flaw can cause applications using the vulnerable library to crash unexpectedly, leading to service disruption.
Critical Impact
Applications parsing untrusted XML input using affected versions of xml-rs (0.8.9 through 0.8.13) are vulnerable to denial of service attacks via crafted malicious XML documents that cause parser panics.
Affected Products
- xml-rs crate for Rust versions 0.8.9 through 0.8.13
- Crab XML library (associated implementation)
- Applications and services utilizing vulnerable xml-rs versions for XML parsing
Discovery Timeline
- 2023-06-05 - CVE-2023-34411 published to NVD
- 2025-01-08 - Last updated in NVD database
Technical Details for CVE-2023-34411
Vulnerability Analysis
This denial of service vulnerability stems from improper handling of markup declaration tokens within the XML parser's lexer and state machine components. When the parser encounters an invalid <! token sequence—particularly malformed DOCTYPE declarations with unexpected nesting patterns—it fails to gracefully handle the error condition, resulting in a panic that terminates the application.
The vulnerability specifically affects the parser's ability to properly transition between states when processing DOCTYPE markup declarations. The parser lacked proper state handling for MarkupDeclarationStart tokens when already inside a DOCTYPE context, leading to undefined behavior when nested or malformed declarations were encountered.
Root Cause
The root cause lies in the incomplete state machine implementation within the xml-rs parser. The inside_doctype function did not account for encountering additional MarkupDeclarationStart tokens (represented by <! sequences) while already processing a DOCTYPE declaration. This oversight meant that malformed XML with nested markup declarations would cause the parser to reach an unexpected state, triggering a panic when attempting to display error information for unexpected tokens.
Additionally, the lexer's error display functionality was missing a case for the MarkupDeclarationStart token variant, causing an unreachable!() macro to execute and panic when attempting to format error messages for this token type.
Attack Vector
This vulnerability is exploitable over the network by any attacker who can supply XML input to an application using the vulnerable xml-rs library. The attack requires no authentication or user interaction. An attacker simply needs to craft a malicious XML document containing invalid DOCTYPE declarations with nested <! tokens and submit it to the target application's XML parsing endpoint.
The attack is particularly concerning for web services, APIs, or any application that processes user-supplied XML content, as a single malicious request can cause the entire service to crash.
// Security patch in src/reader/parser/inside_doctype.rs - Parse DOCTYPE markup declarations
// Source: https://github.com/00xc/xml-rs/commit/0f084d45aa53e4a27476961785f59f2bd7d59a9f
pub fn inside_doctype(&mut self, t: Token) -> Option<Result> {
match t {
Token::TagEnd => {
- self.lexer.enable_errors();
self.into_state_continue(State::OutsideTag)
}
+ Token::MarkupDeclarationStart => {
+ self.into_state_continue(State::InsideDoctypeMarkupDeclaration)
+ },
+
+ _ => None,
+ }
+ }
+
+ pub fn inside_doctype_markup_declaration(&mut self, t: Token) -> Option<Result> {
+ match t {
+ Token::TagEnd => {
+ self.into_state_continue(State::InsideDoctype)
+ }
+
_ => None,
}
}
// Security patch in src/reader/lexer.rs - Avoid panic when displaying unexpected token error
// Source: https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c
Token::EqualsSign => "=",
Token::SingleQuote => "'",
Token::DoubleQuote => "\"",
+ Token::MarkupDeclarationStart => "<!",
_ => unreachable!()
}.fmt(f),
}
Detection Methods for CVE-2023-34411
Indicators of Compromise
- Unexpected application crashes or panics in services that parse XML input
- Error logs showing panic messages originating from xml-rs parser components
- Increased rate of service restarts or container failures in XML-processing applications
- Log entries containing malformed DOCTYPE declarations or nested <! sequences
Detection Strategies
- Monitor application logs for Rust panic messages referencing xml-rs, inside_doctype, or lexer components
- Implement input validation to detect and reject XML documents with suspicious DOCTYPE patterns before parsing
- Use dependency scanning tools (such as cargo audit) to identify vulnerable xml-rs versions in your Rust projects
- Deploy web application firewalls (WAF) with rules to detect malformed XML DOCTYPE declarations
Monitoring Recommendations
- Enable comprehensive logging for all XML parsing operations including input content hashes
- Set up alerting for unusual patterns of application crashes or restarts
- Monitor for repeated requests from single sources containing XML payloads
- Track dependency versions across your Rust projects and alert when vulnerable versions are detected
How to Mitigate CVE-2023-34411
Immediate Actions Required
- Upgrade xml-rs crate to version 0.8.14 or later immediately
- Audit all Rust projects for xml-rs dependency usage, including transitive dependencies
- Implement input validation to reject suspicious XML content before it reaches the parser
- Consider implementing rate limiting on XML parsing endpoints to reduce DoS impact
Patch Information
The vulnerability has been fixed in xml-rs version 0.8.14. The fix introduces proper state handling for MarkupDeclarationStart tokens within DOCTYPE contexts and adds the missing token case in the error display formatter. Review the GitHub Version Comparison for complete patch details. Additional fixes are documented in GitHub Pull Request #226.
Workarounds
- If immediate upgrade is not possible, implement pre-parsing validation to reject XML documents containing malformed DOCTYPE declarations
- Wrap XML parsing operations in panic handlers to prevent service crashes while accepting potential data loss
- Deploy the vulnerable service in isolated containers with automatic restart policies to minimize downtime
- Use alternative XML parsing libraries temporarily until the upgrade can be completed
# Configuration example - Update xml-rs in Cargo.toml
# Ensure xml-rs is updated to the patched version
# Check current xml-rs version
cargo tree -p xml-rs
# Update Cargo.toml dependency
# Change: xml-rs = "0.8.13" (or earlier vulnerable version)
# To: xml-rs = "0.8.14"
# Run cargo audit to verify no vulnerabilities
cargo audit
# Rebuild project with updated dependency
cargo update -p xml-rs
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
