Bug 2413922 (CVE-2025-64518)

Summary: CVE-2025-64518 cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, ccranfor, chfoley, clement.escoffier, cmah, dandread, darran.lofthouse, dkreling, dosoudil, eaguilar, ebaron, eric.wittmann, fjuma, fmariani, ggrzybek, gmalinko, gsmet, istudens, ivassile, iweiss, janstey, jmartisk, jolong, jpechane, jscholz, lthon, manderse, mosmerov, msvehla, nipatil, nwallace, olubyans, pantinor, parichar, pesilva, pgallagh, pjindal, pmackay, probinso, rguimara, rkubis, rruss, rstancel, rstepani, rsvoboda, sbiarozk, smaestri, swoodman, tasato, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An XML External Entity (XXE) injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM (XML) is validated, external XML entities can be processed (XXE), allowing an attacker to cause the application to disclose local files or make requests to internal network resources. This can occur when untrusted BOM XML is parsed or validated by the library.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-11-10 23:01:43 UTC 
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.