Researchers discovered a code execution flaw in NSA GHIDRA

Pierluigi Paganini October 09, 2019

Security researchers discovered a code-execution vulnerability that affects versions through 9.0.4 of the Ghidra software reverse engineering (SRE) framework.

GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).

The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool.

NSA has released the suite Ghidra in March, it could be used to find vulnerabilities and security holes in applications.

Ghidra is Apache 2.0-licensed and requires a Java runtime, it is available
for download here. Of course, people fear the US Agency may have introduced a backdoor in the suite, but the NSA excluded it.

A couple of weeks ago, security researchers discovered a vulnerability in the Ghidra tool, tracked as CVE-2019-16941, that could be exploited by an attacker to execute arbitrary code within the context of the affected application. The researchers discovered that the flaw could be exploited only when the experimental mode is enabled.

The vulnerability resides in the Read XML Files feature of Bit Patterns Explorer, an attacker could exploit it by using modified XML documents.

“NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document.” reads the security advisory. “This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).”

The vulnerability has been rated as “critical severity” and received a CVSS score of 9.8.

The NSA attempted to downplay the severity of the flaw explaining that it is hard to exploit.

#Ghidra Users: A flaw currently exists within Ghidra versions through 9.0.4. The conditions needed to exploit this flaw are rare and a patch is currently being worked. This flaw is not a serious issue as long as you don’t accept XML files from an untrusted source.
— NSA/CSS (@NSAGov) September 30, 2019

The good news is that the issue has been already fixed, a patch is available for those who build Ghidra themselves from the master branch.

#Ghidra users: This bug, CVE-2019-16941, has been fixed!

The fix is available now for those who build Ghidra themselves from the master branch. https://t.co/oB5GdjWJoo
— NSA/CSS (@NSAGov) October 2, 2019

The Ghidra 9.1 release, that is currently in beta testing, will also address the flaw.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – NSA, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini June 28, 2025

The FBI warns that Scattered Spider is now targeting the airline sector

Pierluigi Paganini June 28, 2025