CVE-2025-66371 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting Iteras Peppol-py versions prior to 1.1.1. Peppol-py is a Python library used for handling Peppol e-invoicing documents, which are XML-based. The vulnerability stems from the Saxon XML parser's configuration that does not properly restrict external entity references. When Peppol-py validates XML invoices, a specially crafted XML input can exploit this misconfiguration to cause the parser to access and read arbitrary files on the host filesystem. The contents of these files can then be exfiltrated to a remote attacker, compromising confidentiality. The CVSS v3.1 base score is 5.0 (medium severity), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and partial confidentiality impact without affecting integrity or availability. The vulnerability scope is changed (S:C) because the attack can affect resources beyond the vulnerable component. There are no known public exploits or patches at the time of publication, but the recommended fix is to upgrade Peppol-py to version 1.1.1 or later, which presumably includes secure parser configurations that disable external entity resolution. This vulnerability is particularly relevant for organizations processing Peppol e-invoices, as it could lead to leakage of sensitive internal files, including configuration files, credentials, or other private data. The threat is heightened in environments where Peppol-py runs with elevated privileges or access to sensitive data. Given the widespread adoption of Peppol in Europe for cross-border e-invoicing, this vulnerability has significant implications for European businesses and public sector entities.

For European organizations, the impact of CVE-2025-66371 can be significant due to the extensive use of Peppol for electronic invoicing mandated or encouraged by EU regulations. Successful exploitation could lead to unauthorized disclosure of sensitive files, including financial data, internal configurations, or personally identifiable information, undermining confidentiality. This could result in regulatory non-compliance, reputational damage, and potential financial losses. Since the vulnerability does not affect integrity or availability, the primary concern is data leakage. However, the scope change indicates that the attack could impact other components or systems if the compromised files contain credentials or secrets used elsewhere. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and government, are particularly vulnerable. Additionally, attackers could leverage disclosed information for further attacks, such as lateral movement or privilege escalation. The medium severity score suggests a moderate risk, but the ease of exploitation and network accessibility increase the urgency for mitigation.

To mitigate CVE-2025-66371, organizations should immediately upgrade Peppol-py to version 1.1.1 or later, where the vulnerability is addressed by secure Saxon parser configurations that disable XML external entity processing. If upgrading is not immediately feasible, apply configuration changes to the XML parser to explicitly disable external entity resolution and DTD processing. Conduct a thorough review of all XML processing components to ensure they are not vulnerable to XXE attacks. Implement strict input validation and sanitization for all XML inputs, especially those originating from untrusted sources. Limit the privileges of the service running Peppol-py to minimize the impact of potential file disclosures. Monitor logs for unusual XML parsing activity or unexpected outbound connections that could indicate exploitation attempts. Additionally, perform regular security audits and penetration testing focused on XML processing components. Establish network segmentation and egress filtering to prevent unauthorized data exfiltration. Finally, educate developers and system administrators about secure XML handling best practices to prevent similar vulnerabilities.