CVE-2025-68280 is a vulnerability classified under CWE-611, involving improper restriction of XML External Entity (XXE) references in the Apache Software Foundation's Apache SIS (Spatial Information System) library. Apache SIS versions 0.4 through 1.5 inclusive are affected. The vulnerability arises because Apache SIS processes XML files related to geospatial metadata and coordinate reference systems without adequately restricting external entity resolution. Specifically, when parsing XML data embedded in GeoTIFF files with GEO_METADATA tags (as defined by the Defense Geospatial Information Working Group), ISO 19115 metadata XML, GML format coordinate reference systems, or GPS Exchange Format (GPX) files, an attacker can craft XML input containing external entity references. Upon parsing, these references can cause the application to disclose contents of local files on the server, leading to information disclosure. This can expose sensitive configuration files, credentials, or other critical data residing on the host. The vulnerability does not require authentication but does require the attacker to supply malicious XML data that the server processes. There are no known public exploits at this time. The recommended remediation is to upgrade to Apache SIS version 1.6, which addresses this issue. As an interim mitigation, users can launch Java with the system property javax.xml.accessExternalDTD set to an empty string or a restricted list of allowed protocols, effectively disabling or limiting external DTD processing and preventing XXE exploitation. This vulnerability is particularly relevant for organizations processing geospatial data, including defense, mapping, and GIS services that rely on Apache SIS for metadata parsing and coordinate transformations.

The primary impact of CVE-2025-68280 is unauthorized disclosure of local files on servers running vulnerable versions of Apache SIS. For European organizations, this can lead to leakage of sensitive geospatial data, internal configuration files, or credentials, potentially compromising confidentiality and enabling further attacks. Organizations in sectors such as defense, government mapping agencies, environmental monitoring, and critical infrastructure that utilize Apache SIS for geospatial metadata processing are at heightened risk. The exposure of sensitive local files could undermine national security, disrupt geospatial intelligence operations, or reveal proprietary data. Although the vulnerability does not directly affect system integrity or availability, the information disclosure could facilitate subsequent targeted attacks. The requirement for crafted XML input means that systems accepting untrusted XML data are most vulnerable. Given the strategic importance of geospatial data in European defense and infrastructure, the impact could be significant if exploited. However, the absence of known exploits and the availability of a patch reduce immediate risk if mitigations are applied promptly.

1. Upgrade Apache SIS to version 1.6 or later, which contains the fix for this vulnerability. 2. Until upgrading is possible, configure the Java runtime environment to restrict external entity processing by setting the system property javax.xml.accessExternalDTD to an empty string or a comma-separated list of allowed protocols (e.g., java -Djavax.xml.accessExternalDTD="" ...). 3. Review and sanitize all XML inputs processed by Apache SIS, especially those originating from untrusted or external sources, to prevent malicious entity injection. 4. Implement network-level controls to limit access to services processing XML files, reducing exposure to untrusted inputs. 5. Monitor logs for unusual XML parsing errors or unexpected file access patterns that could indicate attempted exploitation. 6. Conduct security assessments of geospatial data processing pipelines to identify and remediate other potential XML-related vulnerabilities. 7. Educate developers and administrators about secure XML parsing practices and the risks of XXE vulnerabilities. 8. Employ application-layer firewalls or XML security gateways that can detect and block malicious XML payloads targeting XXE.