CVE-2024-38374 Overview
CVE-2024-38374 is an XML External Entity (XXE) injection vulnerability in cyclonedx-core-java, the core module of the CycloneDX project. The library provides a model representation of Software Bill of Materials (SBOM) documents along with utilities to create, validate, and parse them. Before deserializing a CycloneDX BOM in XML format, the library uses XPath expressions to determine the schema version of the document. The underlying DocumentBuilderFactory was not configured to disable external entity resolution, allowing attacker-controlled XML input to trigger XXE. The issue is fixed in cyclonedx-core-java version 9.0.4 and is categorized under CWE-611.
Critical Impact
An attacker who can supply XML SBOM input to a vulnerable consumer can exfiltrate local files and trigger server-side request forgery through external entity resolution.
Affected Products
- CycloneDX cyclonedx-core-java versions prior to 9.0.4
- Java applications, build tools, and SBOM processors that depend on cyclonedx-core-java for XML BOM parsing
- CI/CD and supply chain tooling that ingests externally provided CycloneDX XML SBOMs
Discovery Timeline
- 2024-06-28 - CVE-2024-38374 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-38374
Vulnerability Analysis
The vulnerability resides in the XML parsing path used by cyclonedx-core-java to determine an incoming BOM's schema version. Before full deserialization, the library evaluates XPath expressions against the input document. To do this, it constructs a DocumentBuilderFactory instance without disabling external entity processing or DTD resolution. Any caller that passes attacker-influenced XML through this code path is exposed to XXE injection.
XXE allows the attacker to declare external entities in a DTD and reference them in document content. When parsed, the XML processor resolves those entities, reading files from the host or fetching URLs from the network. The result is unauthorized disclosure of local file content and outbound requests originating from the affected service.
Root Cause
The root cause is insecure default configuration of the DocumentBuilderFactory. Secure XML parsing requires disabling DTDs, disabling external general and parameter entities, and setting XMLConstants.FEATURE_SECURE_PROCESSING. None of these protections were applied in the schema-detection path, leaving entity resolution enabled.
Attack Vector
Exploitation is network-reachable and does not require authentication or user interaction. An attacker submits a crafted CycloneDX XML BOM containing a malicious external entity declaration. When the application calls into cyclonedx-core-java to parse or validate the SBOM, the underlying parser resolves the entity. The attacker reads files accessible to the JVM process or forces it to issue HTTP requests to internal hosts. See the GitHub Security Advisory GHSA-683x-4444-jxh8 for the upstream analysis.
Detection Methods for CVE-2024-38374
Indicators of Compromise
- CycloneDX XML BOM files containing <!DOCTYPE> declarations or <!ENTITY> definitions referencing file://, http://, or https:// URIs
- Outbound HTTP, FTP, or DNS connections originating from build agents or SBOM ingestion services to unexpected destinations during SBOM parsing
- Unexpected reads of sensitive files such as /etc/passwd, ~/.ssh/, or cloud metadata endpoints by Java processes that handle SBOM input
Detection Strategies
- Inventory Java applications and CI/CD pipelines for transitive dependencies on cyclonedx-core-java below 9.0.4 using dependency scanning.
- Inspect ingested CycloneDX XML SBOMs for DTD subsets and external entity declarations before they reach the parser.
- Correlate SBOM parsing events with subsequent outbound network connections from the same process to identify abnormal entity resolution.
Monitoring Recommendations
- Log and alert on DocumentBuilder and XPath instantiation in SBOM-processing services where DTD handling is not disabled.
- Monitor egress from build systems and supply-chain services to internal addresses, cloud metadata IPs such as 169.254.169.254, and unknown external hosts.
- Track version pinning of cyclonedx-core-java across repositories and fail builds that resolve a vulnerable version.
How to Mitigate CVE-2024-38374
Immediate Actions Required
- Upgrade cyclonedx-core-java to version 9.0.4 or later in all direct and transitive dependency declarations.
- Rebuild and redeploy any application, plugin, or CLI tool that bundles a vulnerable version of the library.
- Audit recent SBOM ingestion logs for XML inputs containing DOCTYPE or external entity references.
Patch Information
The fix is delivered in cyclonedx-core-java9.0.4. The maintainers reconfigured the DocumentBuilderFactory used for schema detection to disable DTDs and external entities. Implementation details are available in the upstream GitHub Pull Request #434 and the fix commit.
Workarounds
- Reject CycloneDX XML SBOMs that contain <!DOCTYPE> declarations at an ingress proxy or pre-parser before they reach the library.
- Prefer the CycloneDX JSON format over XML for untrusted SBOM input where the consuming application allows it.
- Run SBOM-processing workloads with restricted egress and minimal file system access to limit the impact of any residual XXE exposure.
# Configuration example: enforce a fixed library version in Maven
mvn dependency:tree | grep cyclonedx-core-java
# Pin the patched version in pom.xml
# <dependency>
# <groupId>org.cyclonedx</groupId>
# <artifactId>cyclonedx-core-java</artifactId>
# <version>9.0.4</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
