Headline
GHSA-6fhj-vr9j-g45r: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
Impact
The XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.
The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed parsing of XML BOMs, but not validation.
Patches
The vulnerability has been fixed in cyclonedx-core-java version 11.0.1.
Workarounds
If feasible, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
References
- The issue was introduced via https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
- The issue was fixed via https://github.com/CycloneDX/cyclonedx-core-java/pull/737
- https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewDiscover and integrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-64518
CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection
Package
maven org.cyclonedx:cyclonedx-core-java (Maven)
Affected versions
>= 2.1.0, < 11.0.1
Description
Published to the GitHub Advisory Database
Nov 10, 2025
Last updated
Nov 10, 2025
EPSS score