{"id":"CVE-2022-4725","details":"A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 is able to address this issue. The name of the patch is c3e6d69422e1f0c80fe53f2d757b8df97619af2b. It is recommended to upgrade the affected component. The identifier VDB-216737 was assigned to this vulnerability.","aliases":["GHSA-f5h9-qx38-2hgp"],"modified":"2026-04-12T04:18:50.195605Z","published":"2022-12-27T15:15:12.130Z","references":[{"type":"ADVISORY","url":"https://github.com/aws-amplify/aws-sdk-android/releases/tag/release_v2.59.1"},{"type":"ADVISORY","url":"https://vuldb.com/?id.216737"},{"type":"FIX","url":"https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b"},{"type":"FIX","url":"https://github.com/aws-amplify/aws-sdk-android/pull/3100"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/aws-amplify/aws-sdk-android","events":[{"introduced":"0"},{"fixed":"9fa874ac5414a0206e39e5430b2336f92a64c6c9"},{"fixed":"c3e6d69422e1f0c80fe53f2d757b8df97619af2b"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.59.1"}],"cpe":"cpe:2.3:a:amazon:aws_software_development_kit:*:*:*:*:*:android:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["release_v2.0.5","release_v2.1.0","release_v2.1.10","release_v2.1.1_general_availability","release_v2.1.7","release_v2.1.8","release_v2.1.9","release_v2.16.12","release_v2.17.0","release_v2.17.1","release_v2.18.0","release_v2.19.0","release_v2.19.2","release_v2.2.0","release_v2.2.1","release_v2.2.10","release_v2.2.11","release_v2.2.12","release_v2.2.13","release_v2.2.14","release_v2.2.15","release_v2.2.16","release_v2.2.17","release_v2.2.18","release_v2.2.19","release_v2.2.2","release_v2.2.20","release_v2.2.21","release_v2.2.22","release_v2.2.3","release_v2.2.4","release_v2.2.5","release_v2.2.6","release_v2.2.7","release_v2.2.8","release_v2.2.9","release_v2.20.0","release_v2.20.1","release_v2.22.1","release_v2.22.2","release_v2.22.3","release_v2.22.4","release_v2.22.5","release_v2.22.6","release_v2.22.7","release_v2.23.0","release_v2.24.0","release_v2.25.0","release_v2.26.0","release_v2.27.0","release_v2.28.0","release_v2.29.0","release_v2.3.0","release_v2.3.1","release_v2.3.2","release_v2.3.3","release_v2.3.4","release_v2.3.5","release_v2.3.6","release_v2.3.7","release_v2.3.8","release_v2.3.9","release_v2.30.0","release_v2.31.0","release_v2.32.0","release_v2.33.0","release_v2.34.0","release_v2.35.0","release_v2.36.0","release_v2.37.0","release_v2.37.1","release_v2.38.0","release_v2.39.0","release_v2.4.0","release_v2.4.1","release_v2.4.2","release_v2.4.3","release_v2.4.4","release_v2.4.5","release_v2.4.6","release_v2.4.7","release_v2.40.0","release_v2.41.0","release_v2.41.1","release_v2.42.0","release_v2.43.0","release_v2.44.0","release_v2.45.0","release_v2.46.0","release_v2.47.0","release_v2.48.0","release_v2.48.1","release_v2.49.0","release_v2.50.0","release_v2.50.1","release_v2.51.0","release_v2.52.0","release_v2.52.1","release_v2.53.0","release_v2.54.0","release_v2.55.0","release_v2.56.0","release_v2.57.0","release_v2.58.0","release_v2.59.0","release_v2.6.0","release_v2.6.1","release_v2.6.2","release_v2.6.3","release_v2.6.4","release_v2.6.5","release_v2.6.6"],"database_specific":{"vanir_signatures_modified":"2026-04-12T04:18:50Z","vanir_signatures":[{"digest":{"line_hashes":["239574728121346192352555766923918529269","206119398131155453787142411330778572187","134642957712412521989183243001296905014","248894198018008561857298420578776946294","209429982321472848236956227786047446865"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"aws-android-sdk-core/src/main/java/com/amazonaws/regions/RegionMetadataParser.java"},"signature_version":"v1","id":"CVE-2022-4725-6d991850","source":"https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b"},{"digest":{"length":789,"function_hash":"143857844526581926664043422112141070702"},"signature_type":"Function","deprecated":false,"target":{"function":"internalParse","file":"aws-android-sdk-core/src/main/java/com/amazonaws/regions/RegionMetadataParser.java"},"signature_version":"v1","id":"CVE-2022-4725-920eae5b","source":"https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b"},{"digest":{"line_hashes":["298365840048246449142260881838548304703","109651989595727957151610346065093851960","46347670837716235297491961621300209601","278217818761040257459908637078082591599"],"threshold":0.9},"signature_type":"Line","deprecated":false,"target":{"file":"aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java"},"signature_version":"v1","id":"CVE-2022-4725-9ecb505e","source":"https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-4725.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}