CVE-2025-64518: 
Java vulnerability analysis and mitigation

CVE-2025-64518 affects the CycloneDX core module's XML validation functionality in versions 2.1.0 through 11.0.0. The vulnerability was discovered in the XML Validator component used by cyclonedx-core-java, which was not configured securely, making it susceptible to XML External Entity (XXE) injection attacks. This vulnerability is a follow-up to a previous incomplete fix (GHSA-683x-4444-jxh8 / CVE-2024-38374) that only addressed XML BOM parsing but not validation. The issue was disclosed on November 10, 2025 (GitHub Advisory).

The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) and has received a CVSS v3.1 base score of 7.5 (High). The security flaw exists in the XML validation process where the SchemaFactory was not properly configured to prevent XXE attacks. The vulnerability allows processing of XML documents that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control (GitHub Advisory).

The vulnerability could allow remote attackers to execute XXE attacks without requiring privileges or user interaction. The CVSS metrics indicate high impact on confidentiality while integrity and availability remain unaffected. This suggests that attackers could potentially access sensitive information through XXE exploitation (GitHub Advisory).

The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before passing them to cyclonedx-core-java for validation, particularly if incoming CycloneDX BOMs are known to be in JSON format. The fix involves proper configuration of the SchemaFactory with secure XML parsing settings (GitHub Advisory, OWASP Cheatsheet).