High severity8.1NVD Advisory· Published May 14, 2024· Updated Apr 15, 2026
CVE-2024-34345
CVE-2024-34345
Description
The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@cyclonedx/cyclonedx-librarynpm | >= 6.7.0, < 6.7.1 | 6.7.1 |
Patches
25e5e1e0b94227c3409657616Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-38gf-rh2w-gmj7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34345ghsaADVISORY
- github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203nvdWEB
- github.com/CycloneDX/cyclonedx-javascript-library/pull/1063nvdWEB
- github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7nvdWEB
News mentions
0No linked articles in our index yet.