CVE-2025-64518 Overview
CVE-2025-64518 is an XML External Entity (XXE) injection vulnerability affecting the CycloneDX core Java module, a widely-used library that provides model representation of Software Bill of Materials (SBOM) along with utilities for creating, validating, and parsing SBOMs. The vulnerability exists because the XML Validator component was not configured securely, allowing attackers to exploit XXE injection during SBOM validation operations.
This vulnerability is particularly notable as it represents an incomplete fix for a previous security issue (GHSA-683x-4444-jxh8 / CVE-2024-38374). While the earlier fix addressed XXE vulnerabilities in XML BOM parsing, it failed to secure the validation pathway, leaving applications exposed to similar attack vectors through the validation functionality.
Critical Impact
Attackers can exploit this XXE vulnerability to read sensitive files from the server, perform server-side request forgery (SSRF), or potentially cause denial of service conditions. Organizations using CycloneDX core Java versions 2.1.0 through 11.0.0 for SBOM validation are at risk of unauthorized data exfiltration.
Affected Products
- CycloneDX core-java versions 2.1.0 through 11.0.0
- Applications integrating cyclonedx-core-java for XML SBOM validation
- Software supply chain management systems using vulnerable CycloneDX library versions
Discovery Timeline
- 2025-11-10 - CVE CVE-2025-64518 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-64518
Vulnerability Analysis
This vulnerability is classified under CWE-611 (Improper Restriction of XML External Entity Reference). The root issue lies in the XML Validator component's configuration, which fails to disable external entity processing. When an application uses the vulnerable cyclonedx-core-java library to validate XML-formatted SBOMs, the XML parser processes external entity references without restriction.
XXE injection attacks exploit this misconfiguration by embedding malicious entity declarations within XML documents. When the validator processes such documents, it resolves external references, potentially accessing local files, internal network resources, or causing resource exhaustion through entity expansion attacks (billion laughs attack).
The vulnerability is network-exploitable, requires no authentication, and can be triggered with minimal attacker effort. While the immediate impact is limited to confidentiality breaches (reading sensitive data), the information disclosed could facilitate further attacks on the affected system.
Root Cause
The vulnerability stems from the SchemaFactory and XML Validator components not being configured with the necessary security features to prevent XXE attacks. Specifically, the validator fails to disable DOCTYPE declarations, external general entities, and external parameter entities as recommended by the OWASP XML External Entity Prevention Cheat Sheet.
The original fix for CVE-2024-38374 addressed the XML parsing code path but overlooked the separate validation code path, which uses its own XML processing configuration. This demonstrates the importance of comprehensive security audits across all XML processing components within an application.
Attack Vector
The attack vector is network-based, allowing remote exploitation without user interaction. An attacker can craft a malicious XML SBOM document containing external entity references and submit it to any application that uses the vulnerable library for validation. The attack flow involves:
- Attacker crafts an XML SBOM with malicious external entity declarations referencing sensitive local files (e.g., /etc/passwd, application configuration files)
- The malicious SBOM is submitted to the target application for validation
- The vulnerable CycloneDX validator processes the XML and resolves the external entity
- File contents or internal network responses are included in error messages or validation output, leaking sensitive information to the attacker
Typical XXE payloads target sensitive configuration files, cloud metadata endpoints (such as http://169.254.169.254/), or internal services. For detailed examples of XXE attack patterns, refer to the OWASP XXE Prevention Cheat Sheet.
Detection Methods for CVE-2025-64518
Indicators of Compromise
- Unexpected outbound network connections from servers processing SBOM documents
- Anomalous file access attempts to sensitive system files like /etc/passwd, /etc/shadow, or application configuration files
- Error logs containing file contents or internal network responses that should not appear in validation output
- Requests to cloud metadata endpoints (e.g., AWS IMDSv1 at 169.254.169.254) from SBOM processing services
Detection Strategies
- Monitor and alert on outbound DNS queries or HTTP requests originating from SBOM validation services to unexpected destinations
- Implement application logging that captures XML validation errors and analyze for patterns indicating XXE exploitation attempts
- Deploy web application firewalls (WAF) with rules to detect and block XML payloads containing DOCTYPE declarations or entity references
- Use SentinelOne's behavioral AI to detect anomalous file system access patterns from Java applications processing XML documents
Monitoring Recommendations
- Enable verbose logging on SBOM processing components to capture validation operations and potential exploitation attempts
- Monitor Java process behavior for unexpected file reads outside normal application directories
- Track network connections from application servers to internal metadata services and external hosts
- Review application dependency manifests to identify use of cyclonedx-core-java versions between 2.1.0 and 11.0.0
How to Mitigate CVE-2025-64518
Immediate Actions Required
- Upgrade cyclonedx-core-java to version 11.0.1 or later immediately
- Audit all applications in your environment for use of affected CycloneDX library versions
- Review recent SBOM validation logs for indicators of exploitation attempts
- Consider temporarily disabling XML SBOM validation if upgrade cannot be performed immediately
Patch Information
The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. The fix properly configures the XML Validator to disable external entity processing. Organizations should upgrade to this version as soon as possible.
Relevant patch commits are available on GitHub:
For detailed information about the security fix, see the GitHub Security Advisory GHSA-6fhj-vr9j-g45r and Pull Request #737.
Workarounds
- Reject XML documents at the application layer before passing them to cyclonedx-core-java for validation
- Require all incoming CycloneDX BOMs to be in JSON format only, bypassing the vulnerable XML validation pathway
- Implement input validation to strip or reject any XML documents containing DOCTYPE declarations before validation
- Use network segmentation to limit the impact of potential SSRF exploitation from SBOM processing services
# Dependency check example - identify affected library versions in Maven projects
grep -r "cyclonedx-core-java" */pom.xml | grep -E "version.*([2-9]\.[1-9]|10\.|11\.0\.0)"
# For Gradle projects
grep -r "cyclonedx-core-java" */build.gradle | grep -E ":[2-9]\.[1-9]|:10\.|:11\.0\.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
