CVE-2025-66371
📋 TL;DR
CVE-2025-66371 is an XML External Entity (XXE) vulnerability in peppol-py versions before 1.1.1. It allows attackers to read arbitrary files from the server filesystem when processing XML invoices. This affects any system using vulnerable peppol-py versions for PEPPOL invoice validation.
💻 Affected Systems
- peppol-py
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server filesystem disclosure including sensitive files like /etc/passwd, SSH keys, configuration files, and database credentials, potentially leading to full system compromise.
Likely Case
Partial filesystem disclosure exposing configuration files, logs, and potentially sensitive data stored in accessible directories.
If Mitigated
Limited impact with proper file permissions and network segmentation, potentially only exposing non-sensitive files.
🎯 Exploit Status
XXE exploitation is well-documented and requires only the ability to submit XML invoices. No authentication needed if system accepts external XML input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.1
Vendor Advisory: https://github.com/iterasdev/peppol-py/releases/tag/1.1.1
Restart Required: No
Instructions:
1. Update peppol-py: pip install peppol-py==1.1.1
2. Verify installation: pip show peppol-py
3. Test invoice validation functionality
4. No service restart required for Python applications
🔧 Temporary Workarounds
Disable external entity processing
allConfigure XML parser to disable external entity resolution before patch can be applied
Modify Saxon configuration to set feature 'http://apache.org/xml/features/disallow-doctype-decl' to true
🧯 If You Can't Patch
- Implement strict input validation and XML schema validation before processing
- Deploy network segmentation and restrict file system permissions for the application user
🔍 How to Verify
Check if Vulnerable:
Check peppol-py version: pip show peppol-py | grep VersionCheck Version:
pip show peppol-py | grep VersionVerify Fix Applied:
Verify version is 1.1.1 or later and test with known XXE payloads📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in application logs
- XML parsing errors with external entity references
- Large XML files with DOCTYPE declarations
Network Indicators:
- XML requests containing SYSTEM entities or file:// URIs
- Outbound connections from XML parser to unexpected destinations
SIEM Query:
source="application.log" AND ("DOCTYPE" OR "SYSTEM" OR "file://") AND "peppol"