XML External Entity Injection Vulnerability in CycloneDX Core Module by CycloneDX

CVE-2025-64518

What is CVE-2025-64518?

CVE-2025-64518 is a vulnerability found in the CycloneDX core module, which plays a critical role in software bill of materials (SBOM) management. This module is designed to facilitate the creation, validation, and parsing of SBOMs, providing a standardized way to represent software dependencies. The vulnerability is characterized as an XML External Entity (XXE) injection flaw. Due to improper configuration of the XML Validator in versions 2.1.0 through 11.0.1, the module becomes susceptible to attacks that can exploit the handling of XML input, potentially leading to exposure of sensitive data and performing unexpected actions on behalf of the application. Organizations relying on this library without addressing the vulnerability risk significant security breaches and data leaks, which could undermine the integrity of their software supply chain and compliance with security standards.

Potential impact of CVE-2025-64518

1. Data Leakage: Exploiting the XXE injection vulnerability could allow attackers to read sensitive files from the server or any system resources, leading to unauthorized access to confidential information such as passwords, private keys, or configuration files.

2. Remote Code Execution: Attackers may leverage the vulnerability to execute arbitrary code on the server, resulting in full control over the application and further enabling malicious activities, including data manipulation or deployment of malware.

3. Disruption of Operations: The exploitation of this vulnerability can result in severe service disruptions. Attackers can exploit the flaw to induce denial-of-service conditions, impairing the organization’s operational capabilities and potentially impacting business continuity.

References