CVE-2025-64518
Description
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.cyclonedx:cyclonedx-core-javaMaven | >= 2.1.0, < 11.0.1 | 11.0.1 |
Affected products
6- Range: cyclonedx-core-java-1.0.0, cyclonedx-core-java-1.0.1, cyclonedx-core-java-1.0.2, …
- osv-coords5 versionspkg:apk/chainguard/dependency-trackpkg:apk/chainguard/dependency-track-bundledpkg:apk/wolfi/dependency-trackpkg:apk/wolfi/dependency-track-bundledpkg:maven/org.cyclonedx/cyclonedx-core-java
< 4.13.5-r1+ 4 more
- (no CPE)range: < 4.13.5-r1
- (no CPE)range: < 4.13.5-r1
- (no CPE)range: < 4.13.5-r1
- (no CPE)range: < 4.13.5-r1
- (no CPE)range: >= 2.1.0, < 11.0.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-6fhj-vr9j-g45rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64518ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.htmlnvdWEB
- github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9nvdWEB
- github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314nvdWEB
- github.com/CycloneDX/cyclonedx-core-java/pull/737nvdWEB
- github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45rnvdWEB
News mentions
0No linked articles in our index yet.