XML External Entity Injection Vulnerability in DSpace Repository Software
CVE-2025-53621

6.9MEDIUM

Key Information:

Vendor

Dspace

Status
Dspace
Vendor
CVE Published:
15 July 2025

What is CVE-2025-53621?

The DSpace repository software has a vulnerability that allows XML External Entity (XXE) injection due to the failure to disable external entities during XML parsing. This affects all versions prior to 7.6.4, 8.2, and 9.1. When XML files are imported, whether via command-line or user interface, these entities could lead to connections to malicious sites or local file read access by the Tomcat user. Sensitive data such as server configurations or files may be exposed, posing a significant risk if untrusted DSpace administrators unintentionally import malicious data. To mitigate this risk, immediate upgrading to a patched version is advised, or alternatively, implementing manual patches and best practices to assess SAF archives thoroughly.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

DSpace < 7.6.4 < 7.6.4

DSpace >= 8.0, < 8.2 < 8.0, 8.2

DSpace >= 9.0, < 9.1 < 9.0, 9.1

References

https://github.com/DSpace/DSpace/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/DSpace/DSpace/pull/11032
x_refsource_MISC
https://github.com/DSpace/DSpace/pull/11032.patch
x_refsource_MISC

CVSS V3.1

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.