CVE-2023-4357: Chromium XXE Vulnerability Fully Reproduced

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

A critical XXE (XML External Entity) vulnerability was discovered in Chromium, the open-source project behind major browsers like Chrome, Edge, Brave, and Opera. The flaw allows attackers to read local files by bypassing Chromium’s security sandbox — a serious privacy breach.

Let’s break down how it works, and why it’s dangerous.

What Caused the Vulnerability?

The issue, tracked as CVE-2023-4357, stems from Chromium’s integration of libxslt — a library used for XSLT (XML Stylesheet) processing.

Here’s the core problem:

• libxslt allows use of the document() function in XSL stylesheets
• That function supports external entity inclusion
• Chromium didn’t fully block this behavior inside its sandbox
• As a result, attackers could craft a malicious stylesheet to access file:// URLs via http(s):// requests

Even worse: when Chromium is run with the --no-sandbox flag, attackers can access any file on the system — no restrictions.

How Attackers Exploit It

The exploit is deceptively simple and highly stealthy.

An attacker builds a malicious website that embeds:

• A crafted SVG image
• A malicious XSL stylesheet

Once a user visits the page, Chromium loads the SVG and triggers the vulnerable document() function, silently accessing local files in the background.

There’s no prompt, no warning, and likely no trace. That’s what makes this flaw so dangerous.

Impact

• Browsers Affected: Chrome, Edge, Opera, Brave — basically anything based on Chromium
• Security Risk: Unauthorized local file access
• High Risk in Headless / Electron Apps: Many embedded browsers using --no-sandbox are now a serious target
• Potential Damage: Sensitive data leaks, privacy violations, local recon for more advanced attacks

Affected Versions

Chrome < 116.0.5845.96
And all other browsers or apps using affected Chromium versions

Mitigation & Patch

Temporary Workaround

• Don’t click suspicious or unknown links
• Be cautious when visiting websites that use SVG or XSLT
• Avoid using --no-sandbox unless absolutely necessary

Permanent Fix

Google released a patched version of Chrome on August 31, 2023.

To update manually:

1. Open Chrome
2. Go to chrome://settings/help
3. Ensure you're on version 116.0.5845.96 or above

More info: Chromium Release Notes

Reproduction Status

Timeline

• June 29, 2023 – Vulnerability reported by Igor Sak-Sakovskii
• Aug 31, 2023 – Chromium patch released
• Oct 25, 2023 – Public disclosure of the vulnerability
• Nov 17, 2023 – Reproduced by Chaitin Emergency Response Lab
• Nov 17, 2023 – Official advisory published by Chaitin Security

References

• Chrome Stable Channel Update (Aug 2023)
• Chromium Bug Tracker – CVE-2023-4357

Stay updated, stay secure. If your browser runs on Chromium, make sure it’s patched.

Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

• GitHub Repository
• Official Docs
• Discord Community