CVE-2019-13117 in Java SE
Summary
by MITRE
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/29/2026
The vulnerability identified as CVE-2019-13117 resides within the libxslt library version 1.1.33, specifically in the numbers.c file where the xsl:number element processing contains a critical flaw that manifests as an uninitialized read condition. This issue occurs during the execution of xsltNumberFormatInsertNumbers function when processing certain format strings, creating a potential information disclosure vulnerability that could be exploited by malicious actors to extract sensitive data from memory locations.
The technical flaw stems from improper initialization of memory variables during the number formatting process, where the xsl:number element fails to properly initialize memory before reading from it. This uninitialized read vulnerability allows an attacker to infer the contents of stack memory locations by observing how the application handles different character inputs, specifically revealing whether a byte contains one of the characters A, a, I, i, or 0, or other specific character values. The vulnerability represents a classic information disclosure weakness that falls under CWE-457, which defines uninitialized variables as a category of security flaws that can lead to unpredictable behavior and potential data exposure.
From an operational impact perspective, this vulnerability creates a significant risk for systems processing untrusted XSLT transformations, particularly those involving user-supplied content or external data sources. Attackers could potentially leverage this information disclosure to reconstruct sensitive memory contents, including potentially revealing stack-based data that might contain credentials, session tokens, or other confidential information. The attack surface extends to any application that utilizes libxslt for processing XSLT documents, making it particularly concerning for web applications, content management systems, and any platform that accepts and processes external transformation requests.
The vulnerability aligns with ATT&CK technique T1083, which covers file and directory discovery, and T1552, covering unsecured credentials, as the uninitialized read could potentially expose sensitive data stored in memory. Organizations utilizing vulnerable versions of libxslt should prioritize immediate patching to address this issue, as the vulnerability can be exploited without requiring special privileges or authentication. The recommended mitigation strategy includes updating to libxslt version 1.1.34 or later, which contains the necessary fixes to properly initialize memory variables during the number formatting process, thereby preventing the uninitialized read condition that enables the information disclosure. Additionally, implementing proper input validation and sanitization for XSLT processing, along with restricting access to transformation endpoints, can provide additional defense-in-depth measures against exploitation attempts.