CVE-2025-64518: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
(updated )
The XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.
The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed parsing of XML BOMs, but not validation.
References
- cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- github.com/CycloneDX/cyclonedx-core-java
- github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
- github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314
- github.com/CycloneDX/cyclonedx-core-java/pull/737
- github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r
- github.com/advisories/GHSA-6fhj-vr9j-g45r
- nvd.nist.gov/vuln/detail/CVE-2025-64518
Code Behaviors & Features
Detect and mitigate CVE-2025-64518 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →