CodeQL CLI Vulnerable to XML External Entity Attack

CVE-2024-25129

What is CVE-2024-25129?

CVE-2024-25129 is a security vulnerability identified in the CodeQL command line interface (CLI), which is a tool developed by GitHub for analyzing source code to find vulnerabilities and bugs. This specific vulnerability arises from an insecure XML parser within the CodeQL CLI that is exploited via an XML External Entity (XXE) attack. If a vulnerable version of the CodeQL CLI is utilized, maliciously crafted databases or specially formatted QL query files can trigger the CLI to execute outgoing HTTP requests to attacker-controlled URLs. This behavior could lead to unauthorized access to local files, resulting in potential data exfiltration and loss of confidential information. The risk primarily affects security researchers and developers who process untrusted input data, as it can expose sensitive data to external actors.

Potential impact of CVE-2024-25129

1. Data Exfiltration: The vulnerability allows attackers to read local files on the host machine by manipulating the XML parser. This could lead to the unauthorized transmission of sensitive data, including configuration files or secrets, which can be highly damaging to an organization's security posture.

2. Privacy Breaches: Organizations that utilize the CodeQL CLI with untrusted data sources risk compromising the privacy of their internal data. This can be particularly concerning for entities dealing with sensitive or regulatory-compliant information, as the unintended disclosure of such data can lead to significant legal and reputational consequences.

3. Impact on Security Research: Security researchers relying on CodeQL for vulnerability analysis may inadvertently expose their systems to attacks through the use of compromised query files or databases. This undermines the integrity of their research efforts and poses risks not only to their own data but also to any systems influenced by their findings.

Overall, these impacts necessitate immediate attention, with recommended actions including upgrading to the latest version (2.16.3 or later) or implementing strict controls around the processing of untrusted QL sources.

References