CVE-2025-64518
- Source
- https://cve.org/CVERecord?id=CVE-2025-64518
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64518.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-64518
- Aliases
- Related
- Published
- 2025-11-10T22:08:06.229Z
- Modified
- 2026-04-12T18:28:21.533585Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
- Details
-
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML
Validatorused by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64518.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-611" ] }- References
-
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64518.json
- https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r
- https://nvd.nist.gov/vuln/detail/CVE-2025-64518
- https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
- https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314
- https://github.com/CycloneDX/cyclonedx-core-java/pull/737
Affected packages
Git / github.com/cyclonedx/cyclonedx-core-java
Affected ranges
- Type
- GIT
- Repo
- https://github.com/cyclonedx/cyclonedx-core-java
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/cyclonedx/cyclonedx-core-java
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
cyclonedx-core-java-1.*
cyclonedx-core-java-1.0.0
cyclonedx-core-java-1.0.1
cyclonedx-core-java-1.0.2
cyclonedx-core-java-1.1.0
cyclonedx-core-java-1.1.1
cyclonedx-core-java-1.1.2
cyclonedx-core-java-10.*
cyclonedx-core-java-10.0.0
cyclonedx-core-java-10.1.0
cyclonedx-core-java-10.2.0
cyclonedx-core-java-10.2.1
cyclonedx-core-java-11.*
cyclonedx-core-java-11.0.0
cyclonedx-core-java-2.*
cyclonedx-core-java-2.0.0
cyclonedx-core-java-2.0.1
cyclonedx-core-java-2.0.2
cyclonedx-core-java-2.1.0
cyclonedx-core-java-2.1.1
cyclonedx-core-java-2.5.0
cyclonedx-core-java-2.5.1
cyclonedx-core-java-2.6.0
cyclonedx-core-java-2.6.1
cyclonedx-core-java-2.6.2
cyclonedx-core-java-2.6.3
cyclonedx-core-java-2.6.4
cyclonedx-core-java-2.6.5
cyclonedx-core-java-2.7.0
cyclonedx-core-java-3.*
cyclonedx-core-java-3.0.0
cyclonedx-core-java-3.0.1
cyclonedx-core-java-3.0.2
cyclonedx-core-java-3.0.3
cyclonedx-core-java-3.0.4
cyclonedx-core-java-3.0.5
cyclonedx-core-java-3.0.6
cyclonedx-core-java-3.0.7
cyclonedx-core-java-3.0.8
cyclonedx-core-java-4.*
cyclonedx-core-java-4.0.0
cyclonedx-core-java-4.0.1
cyclonedx-core-java-4.0.2
cyclonedx-core-java-4.0.3
cyclonedx-core-java-4.1.0
cyclonedx-core-java-4.1.1
cyclonedx-core-java-4.1.2
cyclonedx-core-java-5.*
cyclonedx-core-java-5.0.0
cyclonedx-core-java-5.0.1
cyclonedx-core-java-5.0.2
cyclonedx-core-java-5.0.3
cyclonedx-core-java-5.0.4
cyclonedx-core-java-5.0.5
cyclonedx-core-java-6.*
cyclonedx-core-java-6.0.0
cyclonedx-core-java-7.*
cyclonedx-core-java-7.0.0
cyclonedx-core-java-7.1.0
cyclonedx-core-java-7.1.1
cyclonedx-core-java-7.1.2
cyclonedx-core-java-7.1.3
cyclonedx-core-java-7.1.4
cyclonedx-core-java-7.1.5
cyclonedx-core-java-7.1.6
cyclonedx-core-java-7.2.0
cyclonedx-core-java-7.2.1
cyclonedx-core-java-7.3.0
cyclonedx-core-java-7.3.1
cyclonedx-core-java-7.3.2
cyclonedx-core-java-8.*
cyclonedx-core-java-8.0.0
cyclonedx-core-java-8.0.1
cyclonedx-core-java-8.0.2
cyclonedx-core-java-8.0.3
cyclonedx-core-java-9.*
cyclonedx-core-java-9.0.0
cyclonedx-core-java-9.0.1
cyclonedx-core-java-9.0.2
cyclonedx-core-java-9.0.3
cyclonedx-core-java-9.0.4
cyclonedx-core-java-9.0.5
cyclonedx-core-java-9.1.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64518.json"
vanir_signatures_modified
"2026-04-12T18:28:21Z"
vanir_signatures
[
{
"target": {
"file": "src/main/java/org/cyclonedx/BomParser.java"
},
"id": "CVE-2025-64518-62f7c961",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"34504444981118600323034738461681656589",
"212740059844629878369061682406488167225",
"209031591197603138593050092143413831735",
"80954175022531425074034064149135080106",
"247947787893926599054184435789652542419",
"122157605995160209998321444981486558279",
"328241334861835366465137125642190575863",
"38871888883082820773905728712921270955",
"260785617863995581490430641367879217931",
"202311340245244270737290009378123309230",
"179846359415919664669053916907451531013",
"111150300510357191072135832699944488007",
"147710338907469332931449743801082454691",
"166774057741574269102614535682736281130",
"303990159814315685329358749284549877171",
"322298185536086876963670208636633033438",
"6128594856017178074725835522887121943",
"303445749765391513796285822226809707128",
"38314875529258705920161723896759124039",
"21640233637484091343069118224441190992",
"119938081631787505131739642536816903035",
"259729204361211721531938421942985320711",
"6128594856017178074725835522887121943",
"43948760001854080289395823315510689286",
"48764386621932933112565435160770399245",
"286789924612653364365033557381590484946",
"159009771416151728966511507147005182132",
"234004210667073315678750830762348528968",
"6128594856017178074725835522887121943",
"270562763978214093117581450837857302908",
"316753126304611774397218891282400924735",
"155139960532581275582080396404100615936"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/CycloneDxSchema.java",
"function": "Version"
},
"id": "CVE-2025-64518-848d49df",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 51.0,
"function_hash": "216190859915552726671707505792069809036"
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/model/Bom.java"
},
"id": "CVE-2025-64518-893f24f6",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"6416757517551935980438210350678069995",
"71021791509624368437246764191286669381",
"234033961185400836318471813959007558924",
"117602388512608793181409533131328291243",
"339489677059348769451741677493529912778",
"145825606961722400795612474258861690060",
"218171855160389039917168906681225701124"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/BomParser.java",
"function": "parse"
},
"id": "CVE-2025-64518-90de517f",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 219.0,
"function_hash": "187673743625268070606204650593769628063"
},
"signature_version": "v1"
},
{
"target": {
"file": "src/test/java/org/cyclonedx/BomXmlGeneratorTest.java"
},
"id": "CVE-2025-64518-a1b59620",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"3385645807519848179389217156517585569",
"193224708163857897099906685817950544527",
"266226425517552708391054250785166125152",
"291918081741804392054244554144855196076",
"18393444493015422557323926317776508528",
"325673129728973883676071339351438173836",
"41205256224044233351247662629439288149",
"306878072397715522512253894314638176636",
"164331488965034022561423026318967263361",
"135615407257359063789700195075563373879",
"40371399531374237595954732451010099312",
"9804888202956299570616965813603262047",
"66296260718659657118086943759886138370",
"105974405773328520365167066172523958389",
"244174321904575225120450114728903948614",
"191831971888484434045593818400187596855",
"206677844187484071681125150875414045378",
"228200250151227343099685355936496817353",
"296783962350523976464182213797683278433",
"227811397581963679284173470230204179567",
"168231239013216771559198208450729975936",
"52190694922581195269828593346315389149",
"226562354780301256692815724101192838966",
"164343077778323918569665633685929209903",
"48824396917542452837243849069895912948",
"22548003662254556003927408165637553901",
"188122709802632527742254111825174881493",
"105465200759480612769152912745726486451",
"117803296698151436767410786673755404458",
"110134874837760545017432351292534176688"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/CycloneDxSchema.java",
"function": "getXmlSchema10"
},
"id": "CVE-2025-64518-a936474d",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 337.0,
"function_hash": "204919217757973157786884933048045240844"
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/CycloneDxSchema.java",
"function": "getXmlSchema11"
},
"id": "CVE-2025-64518-aa01e219",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 337.0,
"function_hash": "172856367310594722590264173538941443172"
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/CycloneDxSchema.java"
},
"id": "CVE-2025-64518-bc751162",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"62651506715212936223275160310320541164",
"273540614068069960738776670014868414654",
"179903688480113687893451483176626892361",
"10947775816060374110776112863799078156",
"308478514208685003773329567776748572385",
"166205797719195516710814569030731472987",
"183404230494584912865310993200381104545",
"116455072070993342289812538282094188323",
"209608703495346285147069918667832189233",
"44036984849668413200283342605354465082",
"332697066271035459847559379640076997584",
"235509724450105283889096291341657034279",
"159580212877193085293752868714808157324",
"73329059343170096576006739842213699400",
"49346770411879598224865121551041974972",
"217192647683634533807699872564573591295",
"159617170078275049561703512466115093150",
"192445694139955025354901125511533799732",
"72642086581146967366307837097754688399",
"278873618003128164492397484602039363595",
"136116691022784864290682020181939226532",
"292712911668691204991595053086930247283",
"16980246020333936954987992831934254892",
"93587329178525896784550302202224550157",
"215081561896435052524150468955183478795",
"71734063724706648460059497867031080096",
"72756898930049052084477882964015601478",
"154556550225782361706738754297563823159",
"141907214240881371449075480320040306542",
"99759497681356544595445283618046127715",
"323682925910136167210222768472600135239",
"57523888708408489648591931446611101006",
"49157671663242910914198957294873981992"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/parsers/XmlParser.java",
"function": "createSecureDocument"
},
"id": "CVE-2025-64518-c050b77e",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 326.0,
"function_hash": "183741017887479408503541869115303684064"
},
"signature_version": "v1"
},
{
"target": {
"file": "src/main/java/org/cyclonedx/parsers/XmlParser.java"
},
"id": "CVE-2025-64518-d9a3c936",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"313030804255263483230843030111642977534",
"160314261706537797198159750488526815469",
"156945520181216931251854298718852238740",
"62733835273118302776975321106774188351"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "src/test/java/org/cyclonedx/BomXmlGeneratorTest.java",
"function": "testXxeProtection"
},
"id": "CVE-2025-64518-f7d18203",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 110.0,
"function_hash": "150048613811047808506307048662310629716"
},
"signature_version": "v1"
},
{
"target": {
"file": "src/test/java/org/cyclonedx/parsers/XmlParserTest.java"
},
"id": "CVE-2025-64518-fddeb05b",
"source": "https://github.com/cyclonedx/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"187033464239195819994187077648512530869",
"70574788702559937243076420007194141256",
"216247408386233107214316573716048435344",
"247653652246281548284545415749989894443",
"200251816353519977193274714918454660006",
"26327815472315602712430207186437202335",
"50647186193821847688470236953891541656",
"41453667460749076737201092246306843653",
"6412382520421243722100588276918939444",
"106987125677376898558966782449319060762",
"7125654851374674136499746623156534674",
"259953493086777429799304043914852026598",
"140803849387440476196472558068414246068",
"9675312024109701550716538567383744325",
"89495361852997876658822026672114269111",
"180003128944538499560216183162135563571",
"79035235370956913812887601488640251399",
"195286579477936347481817789749706829980",
"302504159119527577402147301872743597671",
"240848111306713234533894941007133843541"
]
},
"signature_version": "v1"
}
]