CVE-2025-63917
BaseFortify
Publication date: 2025-11-17
Last updated on: 2025-11-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| itext | itext | * |
| wmjordan | pdfpatcher | * |
| mupdf | mupdf | * |
| wmjordan | pdfpatcher | 1.1.3.4663 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PDFPatcher's XML bookmark import functionality, which does not restrict XML external entity (XXE) references. Because the application uses .NET's XmlDocument class without disabling external entity resolution, attackers can exploit this to read arbitrary files on the victim's filesystem, exfiltrate sensitive data via out-of-band HTTP requests, perform server-side request forgery (SSRF) attacks against internal network resources, or cause denial of service through entity expansion attacks.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive files on your system, data leakage through exfiltration of information, potential attacks on internal network resources via SSRF, and denial of service conditions caused by entity expansion attacks, all of which can compromise system security and availability.