CVE-2024-34345: CycloneDX JavaScript Library XXE Vulnerability

CVE-2024-34345 Overview

CVE-2024-34345 is an XML External Entity (XXE) injection vulnerability affecting the OWASP CycloneDX JavaScript library, which provides core Software Bill of Materials (SBOM) functionality for JavaScript projects. The flaw exists in version 6.7.0 of the library, where the XmlValidator component processes XML input with external entity resolution enabled. An attacker who can submit arbitrary XML to the validator can trigger external entity resolution. The maintainers fixed the issue in version 6.7.1 by reverting parser options to the safer configuration used in version 6.6.1. The vulnerability is tracked under CWE-611: Improper Restriction of XML External Entity Reference.

Critical Impact

Successful XXE exploitation against an application running the CycloneDX XML validator can lead to file disclosure, server-side request forgery, and denial of service against the host process.

Affected Products

• OWASP CycloneDX JavaScript library version 6.7.0
• Downstream tooling that invokes XmlValidator from @cyclonedx/cyclonedx-library 6.7.0
• SBOM generation and validation pipelines depending on the affected release

Discovery Timeline

• 2024-05-14 - CVE-2024-34345 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-34345

Vulnerability Analysis

The vulnerability resides in src/validation/xmlValidator.node.ts, the Node.js implementation of the CycloneDX XML validator. In version 6.7.0, the parser options passed to the underlying libxmljs2 parser included noent: true, which instructs the parser to substitute XML entities during parsing. When combined with arbitrary input passed to the validator, this enables an attacker to define malicious external entities that the parser will resolve.

XXE exploitation against a vulnerable application can read local files accessible to the Node.js process, perform outbound network requests from the host, or exhaust resources through entity expansion. Because SBOM validation is frequently performed inside continuous integration runners and supply chain tooling, the attack surface includes environments that often hold cloud credentials and source code.

Root Cause

The root cause is an unsafe XML parser configuration. The noent option was enabled in the frozen xmlParseOptions object, overriding the safer default behavior. While nonet: true blocked direct network fetches for external DTDs, entity substitution against local resources remained possible.

Attack Vector

Exploitation requires the target application to call XmlValidator.validate() on attacker-controlled XML. The attack vector is network-reachable wherever such validation is exposed, including SBOM ingestion endpoints, build pipelines, and supply chain scanning services.

 const xmlParseOptions: Readonly<ParserOptions> = Object.freeze({
   nonet: true,
-  compact: true,
-  noent: true // prevent https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1061
+  compact: true
 })
 
 export class XmlValidator extends BaseValidator {

Source: GitHub commit 5e5e1e0. The patch removes the noent: true option, disabling entity substitution during validation.

Detection Methods for CVE-2024-34345

Indicators of Compromise

• XML payloads submitted to SBOM validation endpoints containing <!DOCTYPE> declarations with <!ENTITY> definitions referencing SYSTEM or PUBLIC identifiers
• Outbound requests from Node.js processes running CycloneDX tooling to unexpected internal hosts or file URIs
• Build pipeline logs showing unexpected file reads such as /etc/passwd or cloud metadata endpoints during SBOM validation steps

Detection Strategies

• Inventory all Node.js projects using @cyclonedx/cyclonedx-library at version 6.7.0 via npm ls or lockfile inspection across repositories
• Inspect application logs from any service exposing CycloneDX XML validation for malformed or entity-laden XML submissions
• Apply static application security testing rules that flag XML parsers configured with entity resolution enabled

Monitoring Recommendations

• Monitor egress traffic from CI/CD runners and SBOM processing services for connections to attacker-controlled or internal-only destinations
• Alert on file system access patterns from Node.js processes that diverge from established baselines during validation operations
• Track dependency manifests in source control for reintroduction of the vulnerable 6.7.0 release

How to Mitigate CVE-2024-34345

Immediate Actions Required

• Upgrade @cyclonedx/cyclonedx-library to version 6.7.1 or later in all projects and lockfiles
• Audit downstream consumers and SBOM tooling that bundle the library to confirm they ship the fixed version
• Restrict the inputs accepted by services that expose XmlValidator.validate() to trusted sources until the upgrade is verified

Patch Information

The fix is committed in GitHub commit 5e5e1e0 and merged via pull request #1063. Details are published in the GHSA-38gf-rh2w-gmj7 security advisory. The patch reverts the XML parser configuration to match the safe behavior of version 6.6.1.

Workarounds

• Pin transitive dependencies to version 6.6.1 if 6.7.1 cannot be adopted immediately
• Disable any code paths that call the XML validator on untrusted input and rely on JSON-format SBOM validation instead
• Run SBOM validation in network-isolated sandboxes with read-only file system mounts to limit XXE impact

# Upgrade the CycloneDX JavaScript library to the patched release
npm install @cyclonedx/cyclonedx-library@^6.7.1
npm ls @cyclonedx/cyclonedx-library