CVE-2025-12921
📋 TL;DR
This XML injection vulnerability in OpenClinica Community Edition allows attackers to manipulate XML data during CRF data import. It affects OpenClinica Community Edition up to versions 3.12.2 and 3.13. The vulnerability can be exploited remotely without authentication.
💻 Affected Systems
- OpenClinica Community Edition
📦 What is this software?
Openclinica by Openclinica
Openclinica by Openclinica
⚠️ Risk & Real-World Impact
Worst Case
Successful XML External Entity (XXE) attacks could lead to sensitive data disclosure, server-side request forgery, or denial of service through file system access.
Likely Case
Attackers can inject malicious XML content to manipulate imported clinical data integrity or extract limited information from the server.
If Mitigated
With proper input validation and XML parser hardening, the impact is limited to failed import attempts or rejected malicious payloads.
🎯 Exploit Status
Proof-of-concept exploit is publicly available on GitHub. The vulnerability requires XML manipulation knowledge but is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown - vendor did not respond to disclosure
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Consider upgrading to a newer version if available or implementing workarounds.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject XML files containing external entity declarations or suspicious XML structures.
Implement XML schema validation before processing
Use secure XML parsers with external entity processing disabled
Web Application Firewall Rules
allDeploy WAF rules to block requests containing XXE payload patterns to the vulnerable endpoint.
Add WAF rule: Block requests to /ImportCRFData containing DOCTYPE, ENTITY, or SYSTEM declarations
🧯 If You Can't Patch
- Restrict network access to the OpenClinica instance using firewall rules to only allow trusted sources.
- Implement strict authentication and authorization controls for the CRF Data Import functionality.
🔍 How to Verify
Check if Vulnerable:
Test by attempting to import an XML file containing XXE payloads to the /ImportCRFData endpoint and observing if external entities are processed.Check Version:
Check OpenClinica version in web interface or configuration files. For web interface: Navigate to About or System Information page.Verify Fix Applied:
Verify that XML files with external entity declarations are rejected or processed without resolving external references.📡 Detection & Monitoring
Log Indicators:
- Unusual XML import attempts
- Failed import requests with XML parsing errors
- Requests to /ImportCRFData containing DOCTYPE declarations
Network Indicators:
- POST requests to /ImportCRFData with XML content
- Outbound connections from server following XML imports
SIEM Query:
source="openclinica" AND (uri_path="/ImportCRFData" AND (request_body CONTAINS "DOCTYPE" OR request_body CONTAINS "ENTITY" OR request_body CONTAINS "SYSTEM"))🔗 References
- https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md
- https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md#poc
- https://vuldb.com/?ctiid.331641
- https://vuldb.com/?id.331641
- https://vuldb.com/?submit.680872
- https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md
- https://github.com/mikecole-mg/security_findings/blob/main/openclinica/openclinica-xxe.md#poc
