CVE-2025-63917

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-63917

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63917.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-63917

Published

2025-11-17T17:15:51.207Z

Modified

2026-03-13T03:40:56.755096Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L CVSS Calculator

Summary

[none]

Details

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63917.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.1.3.4663"
            }
        ]
    }
]