CVE-2020-25020 – CVE-2020-25020 is an XML External Entity (XXE) ... (How to Fix)

Q: What is the severity of CVE-2020-25020?

CVE-2020-25020 has a CVSS score of 9.8 (CRITICAL). CVE-2020-25020 is an XML External Entity (XXE) vulnerability in MPXJ library versions through 8.1.3. It allows attackers to read arbitrary files from the server filesystem or conduct server-side request forgery attacks by parsing malicious project files. This affects any application using MPXJ's GanttProjectReader or PhoenixReader components to process untrusted project files.

📋 TL;DR

CVE-2020-25020 is an XML External Entity (XXE) vulnerability in MPXJ library versions through 8.1.3. It allows attackers to read arbitrary files from the server filesystem or conduct server-side request forgery attacks by parsing malicious project files. This affects any application using MPXJ's GanttProjectReader or PhoenixReader components to process untrusted project files.

💻 Affected Systems

Products:

MPXJ library
Applications using MPXJ GanttProjectReader
Applications using MPXJ PhoenixReader

Versions: All versions through 8.1.3

Operating Systems: All platforms running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that process untrusted project files using the vulnerable readers. Applications using other MPXJ components are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file read leading to credential theft, followed by lateral movement and data exfiltration.

🟠

Likely Case

Sensitive file disclosure (configuration files, credentials, source code) from the server hosting the vulnerable application.

🟢

If Mitigated

Limited impact with proper input validation and XML parser hardening in place.

🌐 Internet-Facing: HIGH if application accepts file uploads from untrusted sources.

🏢 Internal Only: MEDIUM if only internal users can upload files, but still significant due to potential lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE vulnerabilities are well-understood with many public exploit examples. Exploitation requires the application to process a malicious project file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.4 and later

Vendor Advisory: https://github.com/joniles/mpxj/security/advisories

Restart Required: Yes

Instructions:

1. Update MPXJ dependency to version 8.1.4 or later. 2. Update pom.xml or build.gradle to reference the patched version. 3. Rebuild and redeploy the application. 4. Restart the application server.

🔧 Temporary Workarounds

Disable XXE in XML parser

all

Configure XML parsers to disable external entity processing

Set XMLInputFactory properties: XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES(false) and XMLInputFactory.SUPPORT_DTD(false)

Input validation and filtering

all

Validate and sanitize project files before processing

Implement file type validation and content inspection before passing to MPXJ readers

🧯 If You Can't Patch

Implement strict file upload controls and only accept files from trusted sources
Deploy web application firewall with XXE protection rules

🔍 How to Verify

Check if Vulnerable:

Check if application uses MPXJ version ≤8.1.3 and processes project files via GanttProjectReader or PhoenixReader

Check Version:

mvn dependency:tree | grep mpxj OR gradle dependencies | grep mpxj

Verify Fix Applied:

Verify MPXJ version is ≥8.1.4 in dependencies and test with known malicious project files

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from application process
XML parsing errors with external entity references

Network Indicators:

Outbound connections from application to unexpected internal systems

SIEM Query:

source="application.log" AND ("XXE" OR "external entity" OR "file://" OR "http://" in XML parsing context)

📊 Metadata

CVE ID: CVE-2020-25020

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: August 29, 2020

Last Updated: May 5, 2025

🔗 References

https://github.com/joniles/mpxj/pull/178/commits/c3e457f7a16facfe563eade82b0fa8736a8c96f9 Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory
https://github.com/joniles/mpxj/pull/178/commits/c3e457f7a16facfe563eade82b0fa8736a8c96f9 Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25020, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mpxj by Mpxj

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

Primavera Unifier by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XXE in XML parser

Input validation and filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities