CVE-2025-64518: 
Java vulnerability analysis and mitigation

CVE-2025-64518 affects the CycloneDX core Java module (cyclonedx-core-java), versions 2.1.0 through 11.0.0. The vulnerability was discovered in November 2025 and involves an XML External Entity (XXE) injection vulnerability in the XML validation functionality. The issue arose because the XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XXE attacks. This vulnerability is a continuation of an incomplete fix for a previous issue (CVE-2024-38374) that only addressed XML BOM parsing but not validation (GitHub Advisory).

The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) with a CVSS v3.1 score of 7.5 (High). The root cause was the insecure configuration of javax.xml.validation.SchemaFactory in the XML validation process, which failed to disable the processing of external XML entities. The vulnerability specifically affects the validation functionality of XML BOMs, where the SchemaFactory was not properly configured to prevent XXE attacks (GitHub Advisory, OWASP XXE).

When exploited, this vulnerability could allow attackers to perform XML External Entity (XXE) injection attacks through specially crafted XML documents during the validation process. This could potentially lead to unauthorized disclosure of sensitive information, server-side request forgery (SSRF), or denial of service attacks (GitHub Advisory).

The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. The fix includes proper configuration of the SchemaFactory by setting ACCESS_EXTERNAL_DTD and ACCESS_EXTERNAL_SCHEMA properties to empty strings and enabling FEATURE_SECURE_PROCESSING. As a workaround, if upgrading is not immediately possible, applications can reject XML documents before handing them to cyclonedx-core-java for validation, particularly if incoming CycloneDX BOMs are known to be in JSON format (GitHub Advisory, GitHub PR).