CVE-2025-64518
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64518, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-10

Last updated on: 2025-11-12

Assigner: GitHub, Inc.

Description

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-10
Last Modified
2025-11-12
Generated
2026-07-06
AI Q&A
2025-11-11
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cyclonedx cyclonedx-core-java 11.0.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an XML External Entity (XXE) injection issue in the cyclonedx-core-java library versions starting from 2.1.0 up to before 11.0.1. The XML Validator used by the library was not securely configured, allowing attackers to exploit XXE injection during XML validation. Although a previous fix addressed parsing of XML BOMs, it did not secure the validation process, leaving the vulnerability present until version 11.0.1 where it was fully fixed.

Impact Analysis

The vulnerability can allow an attacker to exploit the XML validation process to perform XXE injection attacks. This can lead to disclosure of sensitive information (confidentiality impact), as indicated by the CVSS score showing high confidentiality impact. Since the vulnerability does not affect integrity or availability, the main risk is unauthorized access to sensitive data through maliciously crafted XML inputs.

Mitigation Strategies

Upgrade cyclonedx-core-java to version 11.0.1 or later. As a workaround, reject XML documents before handing them to cyclonedx-core-java for validation, especially if incoming CycloneDX BOMs are known to be in JSON format.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart