CVE-2025-64518
BaseFortify
Publication date: 2025-11-10
Last updated on: 2025-11-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cyclonedx | cyclonedx-core-java | 11.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML External Entity (XXE) injection issue in the cyclonedx-core-java library versions starting from 2.1.0 up to before 11.0.1. The XML Validator used by the library was not securely configured, allowing attackers to exploit XXE injection during XML validation. Although a previous fix addressed parsing of XML BOMs, it did not secure the validation process, leaving the vulnerability present until version 11.0.1 where it was fully fixed.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to exploit the XML validation process to perform XXE injection attacks. This can lead to disclosure of sensitive information (confidentiality impact), as indicated by the CVSS score showing high confidentiality impact. Since the vulnerability does not affect integrity or availability, the main risk is unauthorized access to sensitive data through maliciously crafted XML inputs.
What immediate steps should I take to mitigate this vulnerability?
Upgrade cyclonedx-core-java to version 11.0.1 or later. As a workaround, reject XML documents before handing them to cyclonedx-core-java for validation, especially if incoming CycloneDX BOMs are known to be in JSON format.