CVE-2025-64518 affects the cyclonedx-core-java library, which is widely used for creating, validating, and parsing Software Bill of Materials (SBOMs) in XML and JSON formats. The vulnerability is classified under CWE-611, indicating improper restriction of XML External Entity references. Specifically, from version 2.1.0 through versions prior to 11.0.1, the XML Validator component within the library was not securely configured to disable external entity resolution during XML validation. This misconfiguration allows an attacker to craft malicious XML documents containing external entity references that, when processed by the vulnerable validator, can lead to disclosure of local files or internal system information. The vulnerability is exploitable remotely without authentication or user interaction, as the library is typically used in automated SBOM processing pipelines. Although a previous fix (CVE-2024-38374) addressed XML parsing, it did not secure the validation step, leaving this attack vector open until version 11.0.1. The vulnerability has a CVSS v3.1 score of 7.5, indicating a high severity due to the potential for sensitive data exposure. No known exploits have been reported in the wild, but the risk remains significant given the widespread adoption of CycloneDX in supply chain security tooling. As a temporary mitigation, applications can reject XML SBOM inputs or prefer JSON formats before passing data to the vulnerable validator. The definitive solution is upgrading to cyclonedx-core-java version 11.0.1 or later, where the XML Validator is properly hardened against XXE attacks.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive information processed in SBOM workflows. Since CycloneDX is a popular standard for SBOMs used in software supply chain security, many enterprises and software vendors rely on cyclonedx-core-java for SBOM generation and validation. Exploitation could allow attackers to read arbitrary files or internal configuration data on systems processing malicious SBOM XML inputs, potentially exposing intellectual property, credentials, or other sensitive data. This risk is heightened in sectors with stringent data protection requirements such as finance, healthcare, and critical infrastructure. Additionally, supply chain security tools that integrate CycloneDX could be leveraged as attack vectors, undermining trust in software provenance. The vulnerability does not affect integrity or availability directly but can facilitate further attacks by leaking confidential information. Given the remote, unauthenticated exploitability and no user interaction required, the threat is practical and urgent to address. Organizations processing XML SBOMs should prioritize patching or mitigating this vulnerability to maintain compliance with European data protection regulations and secure software supply chains.

1. Upgrade cyclonedx-core-java to version 11.0.1 or later immediately, as this version contains the complete fix for the XXE vulnerability in XML validation. 2. If upgrading is not immediately feasible, implement input validation to reject or sanitize XML SBOM documents before they reach the vulnerable validator component. 3. Prefer using JSON format SBOMs where possible, as the vulnerability does not affect JSON processing. 4. Employ XML parsing libraries and validators configured to disable external entity resolution and DTD processing to prevent XXE attacks. 5. Conduct code reviews and dependency audits to identify and remediate any other usages of vulnerable XML processing components. 6. Monitor SBOM ingestion pipelines for anomalous XML inputs that could indicate exploitation attempts. 7. Educate development and security teams about the risks of XXE and secure XML handling best practices. 8. Integrate automated dependency scanning tools that flag vulnerable versions of cyclonedx-core-java to prevent future usage. 9. Review and update incident response plans to include scenarios involving SBOM supply chain compromise. 10. Collaborate with software vendors and partners to ensure they have applied the fix and are not introducing vulnerable SBOMs into your environment.