CVE-2025-53621: 
Java vulnerability analysis and mitigation

DSpace open source software, a repository application providing durable access to digital resources, is affected by two related XML External Entity (XXE) injection vulnerabilities (CVE-2025-53621) impacting all versions prior to 7.6.4, 8.2, and 9.1. The vulnerabilities exist in the XML parsing functionality during archive imports and when parsing XML responses from external services (GitHub Advisory).

The vulnerability stems from two main issues: 1) External entities are not disabled when parsing XML files during import of archives in Simple Archive Format (SAF), either via command-line or the Batch Import user interface, and 2) External entities are not explicitly disabled when parsing XML responses from upstream services like ArXiv, Crossref, OpenAIRE, and Creative Commons. The vulnerability has been assigned a CVSS v3.1 base score of 6.9 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L (GitHub Advisory).

An XXE injection could result in an attacker's site being connected to or local paths readable by the Tomcat user being accessed, with content potentially being injected into metadata fields. This may lead to sensitive content disclosure, including retrieval of arbitrary files or configurations from the DSpace server. The vulnerability could also enable request forgery attacks and exposure of sensitive information in responses (GitHub Advisory).

The vulnerability has been fixed in DSpace versions 7.6.4, 8.2, and 9.1. For those unable to upgrade immediately, manual patches are available for the DSpace backend through pull requests #11032 (7.x), #11034 (8.x), and #11035 (9.x). Temporary workarounds include careful inspection of SAF archives before importing and disabling affected external services as needed (GitHub Advisory).