CVE-2025-65482
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensagres | xdocreport | From 0.9.2 (inc) to 2.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-65482 is a high-severity XML External Entity (XXE) injection vulnerability in the XDocReport library (versions 0.9.2 to 2.0.3) that occurs when processing .docx files. The vulnerability arises because XDocReport uses Apache POI internally, which relies on Java's default SAXParser without disabling Document Type Definition (DTD) processing and external entity resolution. Attackers can craft malicious .docx files containing XML with DOCTYPE declarations that define external entities referencing remote URLs or local files. When such a file is processed, the parser resolves these external entities, leading to outbound HTTP requests to attacker-controlled servers or disclosure of sensitive local files. This allows attackers to execute arbitrary code, exfiltrate data, scan internal networks, or disrupt services. The vulnerability is mitigated by disabling DTD and external entity processing in the XML parser configuration. [1, 3, 4]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to several serious impacts: unauthorized data exfiltration including sensitive local files and Personally Identifiable Information (PII), outbound HTTP requests to attacker-controlled servers enabling out-of-band data leaks, internal network scanning, service disruption, reputational damage, and financial losses due to breach notifications and remediation costs. [1, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual outbound HTTP requests triggered by processing uploaded .docx files, especially requests to unknown or attacker-controlled domains. One detection method is to analyze network traffic for HTTP requests originating from the application processing .docx files. Additionally, inspecting uploaded .docx files by unzipping them and checking the word/document.xml file for DOCTYPE declarations with external entity references can help identify malicious files. Commands to assist detection include: 1) Unzip and inspect .docx files: `unzip suspicious.docx -d extracted && grep -i '<!DOCTYPE' extracted/word/document.xml` 2) Monitor outbound HTTP requests from the application server using tools like tcpdump or Wireshark, e.g., `tcpdump -i eth0 host attacker-controlled-domain.com` or `tcpdump -i eth0 port 80 or port 443` to capture suspicious traffic. 3) Use application logs to detect unexpected external entity resolution or errors related to XML parsing. These approaches help identify exploitation attempts or presence of crafted malicious documents. [1, 3, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves disabling Document Type Definition (DTD) processing and external entity resolution in the XML parser configuration used by XDocReport. Specifically, configure the SAXParserFactory with the following features set: spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); This prevents the parser from processing any DOCTYPE declarations or external entities, effectively mitigating XXE attacks. Additionally, update XDocReport to a patched version where this fix is applied (versions after 2.0.3) or apply the patch from the official repository (pull request #547). As a temporary measure, restrict file uploads to trusted users and scan uploaded .docx files for malicious content before processing. Monitoring and blocking outbound HTTP requests to unknown domains can also reduce risk. [1, 3, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to exfiltrate sensitive files, including Personally Identifiable Information (PII), from the affected systems by exploiting XML External Entity (XXE) injection. This data breach risk can lead to non-compliance with regulations such as GDPR and HIPAA, which mandate the protection of sensitive personal and health information. Exploitation may result in unauthorized disclosure of protected data, triggering breach notification requirements, reputational damage, and financial penalties under these standards. Therefore, CVE-2025-65482 poses a significant compliance risk if exploited. [1, 3, 4]