CVE-2025-64518
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64518
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cyclonedx cyclonedx-core-java 11.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an XML External Entity (XXE) injection issue in the cyclonedx-core-java library versions starting from 2.1.0 up to before 11.0.1. The XML Validator used by the library was not securely configured, allowing attackers to exploit XXE injection during XML validation. Although a previous fix addressed parsing of XML BOMs, it did not secure the validation process, leaving the vulnerability present until version 11.0.1 where it was fully fixed.

Impact Analysis

The vulnerability can allow an attacker to exploit the XML validation process to perform XXE injection attacks. This can lead to disclosure of sensitive information (confidentiality impact), as indicated by the CVSS score showing high confidentiality impact. Since the vulnerability does not affect integrity or availability, the main risk is unauthorized access to sensitive data through maliciously crafted XML inputs.

Mitigation Strategies

Upgrade cyclonedx-core-java to version 11.0.1 or later. As a workaround, reject XML documents before handing them to cyclonedx-core-java for validation, especially if incoming CycloneDX BOMs are known to be in JSON format.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart