CVE-2025-66371 is an XML External Entity (XXE) vulnerability classified under CWE-611 found in the Iteras Peppol-py library, a Python implementation used for processing Peppol-compliant electronic invoices. The root cause is an insecure Saxon XML parser configuration that permits external entity references during XML validation. This flaw allows an attacker with at least low-level privileges (PR:L) to craft malicious XML invoice documents that, when processed, cause the parser to read arbitrary files from the local filesystem. The contents of these files can then be exfiltrated to a remote attacker, resulting in a confidentiality breach. The vulnerability does not affect integrity or availability directly and does not require user interaction, but it does have a scope impact since the vulnerability affects the entire system processing the invoices. The CVSS v3.1 score is 5.0 (medium), reflecting the network attack vector, low attack complexity, and partial confidentiality impact. No public exploits have been reported yet, but the vulnerability is significant given the sensitive nature of invoicing data and the widespread use of Peppol-py in European e-invoicing ecosystems. The vulnerability was published on November 28, 2025, and affects all versions prior to 1.1.1. No official patches or mitigations were linked at the time of publication, but upgrading to a fixed version and disabling external entity resolution in the XML parser are recommended best practices.

For European organizations, especially those engaged in e-invoicing using the Peppol network, this vulnerability poses a risk of sensitive data exposure. Attackers could leverage this flaw to access confidential files on invoice processing servers, potentially including financial records, credentials, or other sensitive business information. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Since Peppol is widely adopted in Europe for cross-border electronic invoicing, the impact could be widespread, affecting public sector entities, large enterprises, and SMEs alike. The confidentiality breach could also facilitate further attacks such as lateral movement or targeted espionage. However, the vulnerability does not directly compromise system integrity or availability, limiting its impact to information disclosure. The requirement for at least low privileges means attackers may need some initial access or insider capabilities, somewhat reducing the attack surface but not eliminating risk.

1. Upgrade Peppol-py to version 1.1.1 or later where the vulnerability is addressed. 2. Review and harden XML parser configurations to explicitly disable external entity processing and DTD loading in Saxon or any XML processing libraries used. 3. Implement strict input validation and sanitization on all incoming XML invoice data to detect and block malicious payloads. 4. Employ network segmentation and access controls to limit exposure of invoice processing systems to untrusted networks or users. 5. Monitor logs for unusual XML parsing errors or unexpected outbound network connections that could indicate exploitation attempts. 6. Conduct regular security audits and penetration testing focused on XML processing components. 7. Educate developers and administrators about secure XML handling practices and the risks of XXE vulnerabilities. 8. If upgrading is delayed, consider deploying runtime detection tools or Web Application Firewalls (WAFs) with rules to detect and block XXE attack patterns targeting Peppol-py endpoints.