Security Advisory

XML External Entity (XXE) Injection in TwelveMonkeys ImageIO

Attackers can perform XML External Entity (XXE) attacks through manipulated XMP metadata.

Advisory ID: MLSA-2021-005
CVE: CVE-2021-23792
Severity: medium
Affected versions: < 3.7.1
Fixed versions: ≥ 3.7.1
Discovered by: Timo Müller

Product description

TwelveMonkeys ImageIO provides extended image file format support for the Java platform, through plugins for the javax.imageio.* package.

The main goal of this project is to provide support for formats not covered by the JRE itself. Support for these formats is important, to be able to read data found “in the wild”, as well as to maintain access to data in legacy formats. As there is lots of legacy data out there, we see the need for open implementations of readers for popular formats.


Affected versions of this package are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.

Coordinated Disclosure Timeline

  • 07/12/2021 Issue reported to Synk, which handled the vulnerability disclosure and assigned a CVE.
  • 10/12/2021 GitHub commit with security fix.
  • 13/12/2021 Public disclosure.