XML External Entity Injection Vulnerability in CycloneDX Core Module by CycloneDX
CVE-2025-64518

7.5HIGH

Key Information:

Vendor

Cyclonedx

Status
Cyclonedx-core-java
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64518?

The CycloneDX core module's XML Validator, utilized in versions 2.1.0 through 11.0.1, contains a security flaw that allows for XML External Entity (XXE) injection. This vulnerability arises from inadequate configuration, enabling malicious actors to exploit the XML parsing process. Although the recent updates address some security concerns, they only partially resolve the issue, as the XML validation remains vulnerable. Users are encouraged to update to the latest version (11.0.1) for enhanced security or to implement a workaround by validating XML documents prior to submission.

Affected Version(s)

cyclonedx-core-java >= 2.1.0, <11.0.1

References

https://github.com/CycloneDX/cyclonedx-core-java/security...
x_refsource_CONFIRM
https://github.com/CycloneDX/cyclonedx-core-java/pull/737
x_refsource_MISC
https://github.com/CycloneDX/cyclonedx-core-java/commit/1...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64518 : XML External Entity Injection Vulnerability in CycloneDX Core Module by CycloneDX