CVE-2025-64518

Name of the Vulnerable Software and Affected Versions CycloneDX versions 2.1.0 through 11.0.1

Description The CycloneDX core module, used for creating, validating, and parsing SBOMs, contains a flaw due to an insecurely configured XML Validator. This allows for XML External Entity (XXE) injection. The initial fix for a related issue only addressed XML parsing, not validation. The Validator component is susceptible to exploitation.

Recommendations CycloneDX versions 2.1.0 through 11.0.0 should be updated to version 11.0.1. As a workaround, applications can reject XML documents before passing them to CycloneDX for validation. If incoming CycloneDX BOMs are known to be in JSON format, applications can reject XML documents.