CVE-2025-53621
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-15

Last updated on: 2025-07-15

Assigner: GitHub, Inc.

Description
DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. One may also apply some best practices, though the protection provided is not as complete as upgrading. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. As necessary, affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-15
Last Modified
2025-07-15
Generated
2026-05-07
AI Q&A
2025-07-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53621
EUVD
EUVD-2025-21447
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
dspace dspace 9.1
dspace dspace 7.6.4
dspace dspace 8.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-53621 is a vulnerability in DSpace where XML External Entity (XXE) injection is possible during XML parsing in import operations. Specifically, external entities are not disabled when parsing XML files during the import of archives in Simple Archive Format (SAF) or when importing metadata from external sources like ArXiv, Crossref, OpenAIRE, and Creative Commons. This allows an attacker to craft malicious XML that can cause the system to connect to attacker-controlled sites or read local files accessible by the server, potentially injecting malicious content into metadata fields. Exploitation requires an attacker to provide malicious payloads that are then trusted and imported by an administrator. The vulnerability affects all DSpace versions prior to 7.6.4, 8.2, and 9.1, and is fixed by disabling external entity processing in XML parsers and enforcing path traversal checks during import. [7]


How can this vulnerability impact me? :

This vulnerability can lead to sensitive information disclosure by allowing attackers to read arbitrary files or configurations from the server where DSpace is running. It can also cause the system to make connections to attacker-controlled sites (Server-Side Request Forgery), and malicious content can be injected into metadata fields. Exploitation requires either compromised administrator credentials or convincing an administrator to import a malicious archive. If external services used for metadata import are compromised, they can also deliver malicious XML payloads. The impact includes potential exposure of sensitive data and unauthorized network connections. [7]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of CVE-2025-53621 involves monitoring for suspicious XML import activities, especially imports using the Simple Archive Format (SAF) via the command-line or user interface. Since exploitation requires an administrator to import malicious XML, reviewing import logs for unusual or untrusted SAF archive imports is recommended. Additionally, network monitoring for unexpected outbound connections from the DSpace server to unknown external sites (potential SSRF) can help detect exploitation attempts. Specific commands are not provided in the resources, but administrators should audit import commands such as './dspace import' usage and inspect logs for anomalies. Careful inspection of SAF archives before import is advised to detect malicious payloads. [7]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading DSpace to versions 7.6.4, 8.2, or 9.1 where the vulnerability is fixed. If upgrading is not immediately possible, apply the manual patches available in the referenced GitHub pull requests (#11032 for 7.x, #11034 for 8.x, #11035 for 9.0) which implement safe XML parsing that disables external entity processing. Additionally, administrators should carefully inspect any SAF archives before importing, especially those not created by trusted users, and consider disabling affected external metadata import services (ArXiv, Crossref, OpenAIRE, Creative Commons) to prevent malicious payload delivery via their APIs. After patching or upgrading, rebuild the backend with Maven, redeploy, and restart the server to apply changes. [7, 1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart