CVE-2025-68463
Unknown Unknown - Not Provided
XXE Vulnerability in Biopython Bio.Entrez Through

Publication date: 2025-12-18

Last updated on: 2026-05-08

Assigner: MITRE

Description
Bio.Entrez in Biopython through 186 allows doctype XXE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68463
EUVD
EUVD-2025-204037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
biopython biopython From 3.13.1 (inc) to 3.13.11 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in CVE-2025-68463 affects the Bio.Entrez module in Biopython, where the XML parser processes external Document Type Definitions (DTDs) and XML Schema Definitions (XSDs) by fetching them via HTTP requests. This allows an attacker to craft malicious XML input containing external entity references (DOCTYPE declarations) that cause the parser to make arbitrary HTTP GET requests. This behavior leads to an XML External Entity (XXE) vulnerability and server-side request forgery (SSRF), enabling attackers to access internal network resources or cause denial-of-service conditions by forcing the server to make unwanted network requests. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to perform server-side request forgery (SSRF), which can lead to unauthorized access to internal network resources. Additionally, it can cause denial-of-service (DoS) conditions by forcing the server to make unwanted network requests. There is also a risk of man-in-the-middle (MITM) attacks and cache poisoning due to lack of enforced TLS on these requests, although these are secondary concerns. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusual HTTP GET requests initiated by the Bio.Entrez module when parsing XML, especially requests for external DTD or XSD files. Detection can include analyzing network traffic for unexpected outbound requests from systems running Biopython, particularly those triggered by XML parsing. Additionally, running the provided demonstration script (biopython_doctype_xxe_demo.py) can help confirm the presence of the vulnerability. Specific commands are not provided in the resources, but network monitoring tools like tcpdump or Wireshark can be used to capture and analyze such HTTP requests. [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the use of external entity processing in the Bio.Entrez module to prevent fetching external DTD or XSD files. Avoid parsing untrusted XML input with the vulnerable Biopython versions. Applying patches or updates from the Biopython project that address this vulnerability is recommended. Additionally, network-level controls can be implemented to block outgoing HTTP requests initiated by the vulnerable module to untrusted external servers. Mitigating man-in-the-middle and cache poisoning risks may also help but are secondary to addressing the primary SSRF and XXE issues. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68463. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart