CVE-2025-64518
Description
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.cyclonedx:cyclonedx-core-javaMaven | >= 2.1.0, < 11.0.1 | 11.0.1 |
Affected products
1- Range: cyclonedx-core-java-1.0.0, cyclonedx-core-java-1.0.1, cyclonedx-core-java-1.0.2, …
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-6fhj-vr9j-g45rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64518ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.htmlnvdWEB
- github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9nvdWEB
- github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314nvdWEB
- github.com/CycloneDX/cyclonedx-core-java/pull/737nvdWEB
- github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45rnvdWEB
News mentions
0No linked articles in our index yet.