Inconsistent Path Normalization in WINPATH Build Option
Executive Summary
The Discovery
During a source code audit, I identified an Inconsistent Path Normalization logic flaw. When the WINPATH build option was enabled on POSIX/Linux systems, libxml2 forcefully converted backslashes \ to forward slashes / at the parser level.
The Impact
This created a dangerous blind spot. OS-level security filters and WAFs treat \ as a literal filename character on Linux, allowing traversal payloads (e.g., ..\..\etc\passwd) to slip through undetected. libxml2 would then silently normalize them into actual traversal sequences in the backend, leading to Security Filter Bypasses, Path Traversal, and XXE.
The Resolution
I collaborated closely with the upstream maintainers. Because we caught this early before it impacted widespread stable downstream releases, we prioritized a robust architectural fix over a traditional CVE.
The maintainers merged a patch (MR !398) introducing a new C API runtime switch (xmlSetWinPathEnabled). This ensures Windows-style path processing remains strictly Opt-in on non-Windows platforms, killing the bypass vector and keeping the library Secure by Default! 🔒
A big thank you to the maintainers, James Lan and Daniel Garcia Moreno, for the swift analysis, transparent discussion, and the excellent architectural fix! 🤝
References
Impact Assessment
Path normalization inconsistency in WINPATH build option enables OS-level security filter and WAF bypass, allowing attackers to circumvent security controls.
Disclosure Timeline
- January 15, 2026: Vulnerability discovered during source code audit
- January 20, 2026: Vendor notification and collaborative analysis
- February 15, 2026: Architectural fix merged (MR !398)
- March 01, 2026: Patch widely deployed in stable releases