CVE-2025-4641: 
Java vulnerability analysis and mitigation

A critical XML External Entity (XXE) injection vulnerability has been identified in WebDriverManager, an essential Java library widely used in Selenium-based automation frameworks. The vulnerability, tracked as CVE-2025-4641, affects WebDriverManager versions from 1.0.0 to versions before 6.0.2 across Windows, MacOS, and Linux platforms. This security flaw has received a CVSS score of 9.3, indicating its critical severity (Wiz, NVD).

The vulnerability stems from improper handling of XML parsing in the WebDriverManager component, specifically in the file src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. The issue is classified as CWE-611 (Improper Restriction of XML External Entity Reference) and allows for Data Serialization External Entities Blowup. The vulnerability affects the XML parsing components modules across all supported operating systems (NVD, GitHub PR).

The XXE vulnerability can be exploited to access local files on the server's file system and perform Server-Side Request Forgery (SSRF), enabling attackers to make the server send requests to arbitrary external or internal systems. This can result in severe consequences including data breaches, unauthorized access to resources, and further exploitation of the compromised system (SecurityOnline).

The vulnerability has been patched in version 6.0.2 of WebDriverManager. The fix includes critical security hardening measures, such as implementing factory.setFeature(XMLConstants.FEATURESECUREPROCESSING, true). Users are strongly advised to update to version 6.0.2 or later to protect their systems from potential attacks (SecurityOnline, GitHub PR).