CVE-2025-68280

Name of the Vulnerable Software and Affected Versions Apache SIS versions 0.4 through 1.5

Description An improper restriction of XML external entity reference issue exists in Apache SIS. An attacker can craft XML files that, when parsed by Apache SIS, reveal the content of local files on the server. This impacts services including reading GeoTIFF files with the GEO METADATA tag, parsing ISO 19115 metadata in XML format, parsing Coordinate Reference Systems defined in GML format, and parsing files in GPS Exchange Format (GPX). The issue stems from how Apache SIS handles XML parsing and can lead to unauthorized access to sensitive information.

Recommendations Upgrade to version 1.6 to resolve the issue. As a temporary workaround, launch Java with the javax.xml.accessExternalDTD system property set to a comma-separated list of authorized protocols, for example: java -Djavax.xml.accessExternalDTD="" ....