CVE-2025-66371: Peppol-py is vulnerable to XXE attacks due to Saxon configuration

November 28, 2025 (updated December 1, 2025)

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.

References

github.com/advisories/GHSA-24hm-wm2h-h8w7
github.com/iterasdev/peppol-py
github.com/iterasdev/peppol-py/commit/349a4bff8adb6205ea411bac8d7a06da0477abd7
github.com/iterasdev/peppol-py/pull/16
github.com/iterasdev/peppol-py/releases/tag/1.1.1
nvd.nist.gov/vuln/detail/CVE-2025-66371

Code Behaviors & Features

Detect and mitigate CVE-2025-66371 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →