CVE-2025-64518
- Source
- https://cve.org/CVERecord?id=CVE-2025-64518
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64518.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-64518
- Aliases
- Related
- Published
- 2025-11-10T22:08:06.229Z
- Modified
- 2026-03-01T02:54:20.076551Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
- Details
-
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML
Validatorused by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format. - Database specific
{ "cwe_ids": [ "CWE-611" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64518.json" }- References
-
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64518.json
- https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
- https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314
- https://github.com/CycloneDX/cyclonedx-core-java/pull/737
- https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r
- https://nvd.nist.gov/vuln/detail/CVE-2025-64518
Affected packages
Git / github.com/cyclonedx/cyclonedx-core-java
Affected versions
cyclonedx-core-java-10.*
cyclonedx-core-java-10.0.0
cyclonedx-core-java-10.1.0
cyclonedx-core-java-10.2.0
cyclonedx-core-java-10.2.1
cyclonedx-core-java-11.*
cyclonedx-core-java-11.0.0
cyclonedx-core-java-2.*
cyclonedx-core-java-2.1.0
cyclonedx-core-java-2.1.1
cyclonedx-core-java-2.5.0
cyclonedx-core-java-2.5.1
cyclonedx-core-java-2.6.0
cyclonedx-core-java-2.6.1
cyclonedx-core-java-2.6.2
cyclonedx-core-java-2.6.3
cyclonedx-core-java-2.6.4
cyclonedx-core-java-2.6.5
cyclonedx-core-java-2.7.0
cyclonedx-core-java-3.*
cyclonedx-core-java-3.0.0
cyclonedx-core-java-3.0.1
cyclonedx-core-java-3.0.2
cyclonedx-core-java-3.0.3
cyclonedx-core-java-3.0.4
cyclonedx-core-java-3.0.5
cyclonedx-core-java-3.0.6
cyclonedx-core-java-3.0.7
cyclonedx-core-java-3.0.8
cyclonedx-core-java-4.*
cyclonedx-core-java-4.0.0
cyclonedx-core-java-4.0.1
cyclonedx-core-java-4.0.2
cyclonedx-core-java-4.0.3
cyclonedx-core-java-4.1.0
cyclonedx-core-java-4.1.1
cyclonedx-core-java-4.1.2
cyclonedx-core-java-5.*
cyclonedx-core-java-5.0.0
cyclonedx-core-java-5.0.1
cyclonedx-core-java-5.0.2
cyclonedx-core-java-5.0.3
cyclonedx-core-java-5.0.4
cyclonedx-core-java-5.0.5
cyclonedx-core-java-6.*
cyclonedx-core-java-6.0.0
cyclonedx-core-java-7.*
cyclonedx-core-java-7.0.0
cyclonedx-core-java-7.1.0
cyclonedx-core-java-7.1.1
cyclonedx-core-java-7.1.2
cyclonedx-core-java-7.1.3
cyclonedx-core-java-7.1.4
cyclonedx-core-java-7.1.5
cyclonedx-core-java-7.1.6
cyclonedx-core-java-7.2.0
cyclonedx-core-java-7.2.1
cyclonedx-core-java-7.3.0
cyclonedx-core-java-7.3.1
cyclonedx-core-java-7.3.2
cyclonedx-core-java-8.*
cyclonedx-core-java-8.0.0
cyclonedx-core-java-8.0.1
cyclonedx-core-java-8.0.2
cyclonedx-core-java-8.0.3
cyclonedx-core-java-9.*
cyclonedx-core-java-9.0.0
cyclonedx-core-java-9.0.1
cyclonedx-core-java-9.0.2
cyclonedx-core-java-9.0.3
cyclonedx-core-java-9.0.4
cyclonedx-core-java-9.0.5
cyclonedx-core-java-9.1.0