CVE-2025-64518
📋 TL;DR
The CycloneDX core Java library's XML validator is vulnerable to XML External Entity (XXE) injection due to insecure configuration. This allows attackers to read arbitrary files from the server or potentially cause denial of service when processing malicious XML documents. Applications using cyclonedx-core-java versions 2.1.0 through 11.0.0 for XML validation are affected.
💻 Affected Systems
- cyclonedx-core-java
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file disclosure of sensitive data (passwords, keys, config files) and potential remote code execution via XXE.
Likely Case
Unauthorized file system access leading to information disclosure of sensitive server files.
If Mitigated
Limited impact with proper input validation and network segmentation preventing access to sensitive files.
🎯 Exploit Status
XXE exploitation is well-documented with standard payloads. No specific exploit code published for this vulnerability yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.1
Vendor Advisory: https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r
Restart Required: No
Instructions:
1. Update cyclonedx-core-java dependency to version 11.0.1 or later. 2. Update pom.xml or build.gradle to reference new version. 3. Rebuild and redeploy application.
🔧 Temporary Workarounds
Reject XML documents before validation
allImplement input filtering to reject XML documents if only JSON format is expected
Implement content-type checking or file extension validation before passing to cyclonedx-core-java
🧯 If You Can't Patch
- Implement XML input validation with secure parser configuration before passing to cyclonedx-core-java
- Disable XML processing entirely if only JSON format is required
🔍 How to Verify
Check if Vulnerable:
Check dependency version in pom.xml or build.gradle for cyclonedx-core-java between 2.1.0 and 11.0.0Check Version:
mvn dependency:tree | grep cyclonedx-core-java OR gradle dependencies | grep cyclonedx-core-javaVerify Fix Applied:
Verify cyclonedx-core-java version is 11.0.1 or higher in dependencies📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from XML parsing operations
- Large XML document processing errors
Network Indicators:
- XML payloads containing external entity declarations
- Outbound connections to unexpected URLs during XML processing
SIEM Query:
source="application_logs" AND (message="*XXE*" OR message="*external entity*" OR message="*DOCTYPE*")🔗 References
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory
- https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
- https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314
- https://github.com/CycloneDX/cyclonedx-core-java/pull/737
- https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r
