XPath.compile creates a new XPathExpression where xmlSecMgr is null opening up XXE and XEE attacks.
This CVE was fixed in Oracle Java SE 8u491, 11.0.31, 17.0.19, 21.0.11, 25.0.3. https://www.oracle.com/java/technologies/javase/8u491-relnotes.html#R180_491 https://www.oracle.com/java/technologies/javase/11-0-31-relnotes.html#R11_0_31 https://www.oracle.com/java/technologies/javase/17-0-19-relnotes.html#R17_0_19 https://www.oracle.com/java/technologies/javase/21-0-11-relnotes.html https://www.oracle.com/java/technologies/javase/25-0-3-relnotes.html
OpenJDK-8 upstream commit: https://github.com/openjdk/jdk8u/commit/c5f5d6f1c12908a15a048f8b083a58e1d365a22a OpenJDK-11 upstream commit: https://github.com/openjdk/jdk11u/commit/846b87135976e18594e431661c87c9e1cdcba88e OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/418375446a75148c7db423249caac054c7a821a1 OpenJDK-21 upstream commit: https://github.com/openjdk/jdk21u/commit/266b72eb2bc34641105744eb371b5752568d5512 OpenJDK-25 upstream commit: https://github.com/openjdk/jdk25u/commit/33a9ded6bd907a1164f1da4b1cc8ac3bf035f612