Mr-Zepol

**Name of the Vulnerable Software and Affected Versions** cyclonedx-core-java versions prior to 9.0.4 **Description** The CycloneDX core module provides a model representation of SBOMs and utilities for creating, validating, and parsing them. Before deserializing CycloneDX Bill of Materials in XML format, `cyclonedx-core-java` uses XPath expressions to determine the schema version. The `DocumentBuilderFactory` used to evaluate these XPath expressions was not configured securely, leading to a potential XML External Entity (XXE) injection issue. XXE injection can be exploited to extract local file content or perform Server Side Request Forgery (SSRF) to access adjacent infrastructure. The provided Proof of Concept (PoC) demonstrates the potential for a connection error when attempting to access a non-existent file via a crafted XML document. **Recommendations** Update cyclonedx-core-java to version 9.0.4 or later.