CVE-2019-19450 in ReportLab
Summary
by MITRE • 09/20/2023
paraparser in ReportLab before 3.5.31 allows remote code execution because start_unichar in paraparser.py evaluates untrusted user input in a unichar element in a crafted XML document with '<unichar code="' followed by arbitrary Python code, a similar issue to CVE-2019-17626.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2025
The vulnerability identified as CVE-2019-19450 represents a critical remote code execution flaw within the ReportLab library's paraparser component. This issue affects versions prior to 3.5.31 and stems from improper input validation when processing XML documents containing unichar elements. The vulnerability operates by exploiting a dangerous evaluation pattern where user-supplied data is directly interpreted as executable Python code, creating an avenue for arbitrary code execution on systems processing affected documents.
The technical implementation of this vulnerability resides in the start_unichar function within paraparser.py, which processes unichar elements in XML documents. When a crafted XML document contains a unichar element with the pattern '<unichar code="' followed by arbitrary Python code, the parser evaluates this input without proper sanitization. This behavior creates a classic code injection vulnerability where malicious payloads can be executed within the context of the application processing the XML. The flaw is particularly dangerous because it allows attackers to execute arbitrary Python commands simply by crafting a malicious XML document that gets processed by ReportLab's paraparser.
From an operational perspective, this vulnerability poses significant risks to any system that processes untrusted XML content through ReportLab's paragraph parsing functionality. The impact extends beyond simple code execution to potentially allow full system compromise, as attackers could leverage this vulnerability to gain unauthorized access, escalate privileges, or deploy additional malicious payloads. The vulnerability affects web applications, document processing systems, and any software that relies on ReportLab for generating PDF documents from XML content, making it particularly widespread in enterprise environments where document generation is common.
The vulnerability aligns with CWE-94, which describes improper control of generation of code, and demonstrates characteristics consistent with the ATT&CK technique T1059.001 for command and scripting interpreter. Organizations using ReportLab in production environments should immediately apply the patch available in version 3.5.31 or later, as this represents a critical security update that prevents the dangerous code evaluation behavior. Additional mitigations include implementing strict input validation for XML documents, employing sandboxing techniques when processing untrusted content, and considering alternative document processing libraries that do not exhibit similar code injection vulnerabilities. Network segmentation and monitoring for unusual XML processing activities can also help detect potential exploitation attempts.