CVE-2024-34345

Name of the Vulnerable Software and Affected Versions CycloneDX JavaScript library version 6.7.0

Description The CycloneDX JavaScript library is vulnerable to XML External Entity (XXE) injections when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1. To exploit this, an attacker could craft a malicious XML input that includes an external entity, potentially leading to unintended behavior. For example, an attacker could use the XmlValidator function to validate a forged input, such as the one shown in the proof-of-concept code, which includes an XML external entity injection. The validator.validate(input) function would then process this input, potentially taking the external entity into account.

Recommendations For version 6.7.0, update to version 6.7.1 to fix the issue. As a temporary workaround, do not run the provided XML validator on untrusted inputs.