CVE-2022-23437 | Infinite loop within Apache XercesJ xml parser

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Published: 2022-01-24 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2022-23437 is rated Moderate Risk (61.9/100): CVSS Medium severity, with high exploitation likelihood (EPSS 4.44%, 90th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +4.35% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2022-23437

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.09% 4.44% +4.35%
2 2026-03-04 0.04% 0.09% +0.05%
3 2026-03-01 0.04%

Full EPSS history (34 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2022-23437

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.5 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
2.8 3.6 [email protected]
7.1 2.0 HIGH
AV:N/AC:M/Au:N/C:N/I:N/A:C Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:C)
Complete availability impact.
8.6 6.9 [email protected]

Weakness enumeration for CVE-2022-23437

GitHub Security Advisory for CVE-2022-23437

GHSA-h65f-jvqw-m9fj · Severity: medium · Ecosystem: maven — Infinite Loop in Apache Xerces Java

OS Trackers for CVE-2022-23437

vendor priority summary link
debian not yet assigned CVE-2022-23437 not yet assigned priority: Debian including 1 source packages (libxerces2-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. https://security-tracker.debian.org/tracker/CVE-2022-23437
redhat medium https://access.redhat.com/security/cve/CVE-2022-23437
suse high CVE-2022-23437 severity important: SUSE including 263 source package names (5.0.0-beta1.2.122:xerces-j2-2.12.2-150200.3.7.3, 5.1.0.6.40:xerces-j2-2.12.2-150200.3.7.3, …), 406 product×package rows across 81 product lines (Container bci/kiwi, Container suse/manager/5.0/x86_64/server, … (81 product lines)): Known Affected 231, Fixed 175. https://www.suse.com/security/cve/CVE-2022-23437/
ubuntu medium CVE-2022-23437 medium priority: Ubuntu including 1 source packages (libxerces2-java), 14 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): needs-triage 8, ignored 6. https://ubuntu.com/security/CVE-2022-23437

Affected software / configurations for CVE-2022-23437

Vendor Product Version Raw CPE
apache xerces-j <= 2.12.1 cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*
oracle agile_engineering_data_management 6.2.1.0 cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
oracle agile_plm 9.3.6 cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
oracle banking_deposits_and_lines_of_credit_servicing 2.7 cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*
oracle banking_party_management 2.7.0 cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*
oracle communications_asap 7.3 cpe:2.3:a:oracle:communications_asap:7.3:*:*:*:*:*:*:*
oracle communications_element_manager < 9.0 cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
oracle communications_session_report_manager < 9.0 cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
oracle communications_session_route_manager < 9.0 cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 8.0.6.0.0, <= 8.0.9.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle financial_services_analytical_applications_infrastructure >= 8.1.0.0, < 8.1.2.0 cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform >= 8.0.6.0.0, <= 8.0.8.0 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform 8.1.1.0 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform 8.1.1.1 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*
oracle financial_services_behavior_detection_platform 8.1.2.0 cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*
oracle financial_services_crime_and_compliance_management_studio 8.0.8.2.0 cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*
oracle financial_services_crime_and_compliance_management_studio 8.0.8.3.0 cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.7.1 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.7.2.0 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.8.0 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.0.8.1 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.1.1.0 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*
oracle financial_services_enterprise_case_management 8.1.1.1 cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*
oracle flexcube_universal_banking 12.4.0 cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:*
oracle global_lifecycle_management_nextgen_oui_framework < 13.9.4.2.2 cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*
oracle global_lifecycle_management_nextgen_oui_framework 13.9.4.2.2 cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*
oracle global_lifecycle_management_opatch < 12.2.0.1.30 cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*
oracle health_sciences_information_manager >= 3.0.1, <= 3.0.5 cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*
oracle health_sciences_information_manager 3.0.0.1 cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*
oracle ilearning 6.2 cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*
oracle ilearning 6.3 cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.58 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
oracle primavera_gateway >= 17.7, <= 17.12.11 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 18.8.0, <= 18.8.14 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 19.12.0, <= 19.12.13 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle primavera_gateway >= 20.12.0, <= 20.12.8 cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
oracle product_lifecycle_analytics 3.6.1 cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
oracle retail_bulk_data_integration 16.0.3.0 cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
oracle retail_extract_transform_and_load 13.2.8 cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*
oracle retail_financial_integration 14.1.3.2 cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*
oracle retail_financial_integration 15.0.3.1 cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*
oracle retail_financial_integration 16.0.3 cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*
oracle retail_financial_integration 19.0.1 cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*
oracle retail_integration_bus 14.1.3.2 cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*
oracle retail_integration_bus 15.0.3.1 cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*
oracle retail_integration_bus 16.0.3 cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*
oracle retail_integration_bus 19.0.1 cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*
oracle retail_merchandising_system 16.0.3 cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*
oracle retail_merchandising_system 19.0.1 cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*
oracle retail_service_backbone 14.1.3.2 cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*
oracle retail_service_backbone 15.0.3.1 cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*
oracle retail_service_backbone 16.0.3 cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*
oracle retail_service_backbone 19.0.1 cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.3.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.4.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
oracle weblogic_server 14.1.1.0.0 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
netapp active_iq_unified_manager cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

References for CVE-2022-23437

cvelogic Threat Intelligence