Homepage

XML External Entity (XXE) Injection Affecting dependency-track package, versions <4.13.5-r1

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CHAINGUARDLATEST-DEPENDENCYTRACK-13916046
  • published12 Nov 2025
  • disclosed10 Nov 2025
Report a new vulnerability Found a mistake?

Introduced: 10 Nov 2025

NewCVE-2025-64518  (opens in a new tab)
CWE-611  (opens in a new tab)

How to fix?

Upgrade Chainguard dependency-track to version 4.13.5-r1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream dependency-track package and not the dependency-track package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.