{"id":"CVE-2021-3878","details":"corenlp is vulnerable to Improper Restriction of XML External Entity Reference","aliases":["GHSA-5h9g-8xcv-qjq9"],"modified":"2026-04-11T21:23:14.972304Z","published":"2021-10-15T14:15:07.857Z","references":[{"type":"FIX","url":"https://huntr.dev/bounties/a11c889b-ccff-4fea-9e29-963a23a63dd2"},{"type":"FIX","url":"https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/stanfordnlp/corenlp","events":[{"introduced":"0"},{"fixed":"4c28eb5f5e44381b4157aa4fcab72e9231ce42b8"},{"fixed":"e5bbe135a02a74b952396751ed3015e8b8252e99"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.3.1"}]}}],"versions":["v1.3.5","v1.3.6","v3.3.0","v3.3.1","v3.4.0","v3.4.1","v3.5.0","v3.5.1","v3.5.2","v3.6.0","v3.7.0","v3.8.0","v3.9.1","v3.9.2","v3.9.2b","v4.1.0","v4.2.0","v4.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-3878.json","vanir_signatures_modified":"2026-04-11T21:23:14Z","vanir_signatures":[{"signature_type":"Function","id":"CVE-2021-3878-7229d502","signature_version":"v1","digest":{"length":1586,"function_hash":"291074622600642610157368812944203434980"},"target":{"function":"createPatternXMLDoc","file":"src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java"},"source":"https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99","deprecated":false},{"signature_type":"Function","id":"CVE-2021-3878-9813aae8","signature_version":"v1","digest":{"length":526,"function_hash":"113266199536841263999060233615632176269"},"target":{"function":"readDocument","file":"src/edu/stanford/nlp/ie/machinereading/common/DomReader.java"},"source":"https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99","deprecated":false},{"signature_type":"Line","id":"CVE-2021-3878-9c0c6d9b","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["43520721332826866978081389765769837818","311326111611860079278883770771580253757","284015593708485329815509971555724572621","201299330372787746440815065572931448919","174143996608599779934398090899519012840","171895115847832278626512948996122655481","27544422830202180997671230688218298402"]},"target":{"file":"src/edu/stanford/nlp/ie/machinereading/common/DomReader.java"},"source":"https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99","deprecated":false},{"signature_type":"Function","id":"CVE-2021-3878-c184250c","signature_version":"v1","digest":{"length":863,"function_hash":"195774482806396804331330397921589092113"},"target":{"function":"readFromFile","file":"src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java"},"source":"https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99","deprecated":false},{"signature_type":"Line","id":"CVE-2021-3878-ef0b7437","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["32642060372119981804040651553716705297","126711288501821075352997964835856383955","272376512348212872158334304444166236833","340094259709667466320011249881867189768","31381996387163615903366194365175756201","161628023665971883443317856409843048974","338514437842053370218888284440184446337","249535337310361220095059048906446184235","22625991252588605524146076067212119259","239472623923091145564852860362663353398","167865824011085792938949664764790814940","313494352930947755695683903344783533648"]},"target":{"file":"src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java"},"source":"https://github.com/stanfordnlp/corenlp/commit/e5bbe135a02a74b952396751ed3015e8b8252e99","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}