CVE-2025-66371 is an XML External Entity (XXE) vulnerability classified under CWE-611, affecting the Iteras Peppol-py library versions prior to 1.1.1. Peppol-py is used for validating XML-based invoices compliant with the Peppol e-procurement framework. The vulnerability stems from the Saxon XML parser configuration, which does not properly restrict external entity references during XML processing. This misconfiguration allows an attacker to craft malicious XML input containing external entity declarations that cause the parser to read arbitrary files from the local filesystem. When such a malicious invoice is processed, the contents of these files can be exfiltrated to a remote attacker, resulting in a confidentiality breach. The CVSS v3.1 base score is 5.0 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts confidentiality only. The scope is changed, indicating that the vulnerability affects components beyond the immediate application. No integrity or availability impacts are noted. No public exploits have been reported yet, but the vulnerability poses a risk to organizations using Peppol-py for automated invoice validation, especially in environments where sensitive data resides on the same system. The lack of a patch link suggests that a fixed version (1.1.1 or later) should be obtained from the vendor or mitigations applied to disable external entity processing in the Saxon parser configuration.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information stored on systems processing Peppol invoices, such as configuration files, credentials, or personal data. Given the widespread adoption of the Peppol framework in Europe for cross-border e-invoicing and public procurement, the risk is significant for companies and government agencies relying on Peppol-py. Exposure of confidential data could result in regulatory non-compliance under GDPR, reputational damage, and potential financial losses. The vulnerability does not directly affect system integrity or availability but could be leveraged as a stepping stone for further attacks if sensitive credentials or secrets are exposed. Organizations with automated invoice processing pipelines that do not isolate or sandbox XML parsing are particularly vulnerable. The medium severity rating reflects a moderate but tangible risk, especially in sectors handling sensitive procurement data or intellectual property.

European organizations should immediately upgrade Peppol-py to version 1.1.1 or later where the vulnerability is addressed. If upgrading is not immediately feasible, organizations should configure the Saxon XML parser to disable external entity resolution explicitly, preventing XXE exploitation. This can be done by setting secure parser features such as disallowing DOCTYPE declarations and external entity processing. Additionally, implement strict input validation and XML schema validation to reject malformed or unexpected XML content. Employ network-level controls to restrict outbound connections from systems processing invoices to prevent data exfiltration. Monitor logs for unusual XML parsing errors or unexpected file access attempts. Consider isolating invoice processing systems in segmented network zones with minimal privileges and no access to sensitive files. Regularly audit and review XML processing components and dependencies for security updates. Finally, raise awareness among developers and system administrators about XXE risks and secure XML handling best practices.