Impact

Possible remote Denial of Service or Data Injection.

Patches

Patches are available in #268. They have been backported to the 0.10 release series and 0.10.3 is the first release to contain the fix.

Workarounds

To make the bug exploitable, an error suppressing xso_error_handler is required. By not using xso_error_handlers or not using the suppression function, the vulnerability can be mitigated completely (to our knowledge).

References

The pull request contains a detailed description: #268

For more information

If you have any questions or comments about this advisory:

• Join our chat
• Email the maintainer Jonas Schäfer