cvelistv5 - cve-2025-64518

CVE-2025-64518 (GCVE-0-2025-64518)

Vulnerability from cvelistv5 – Published: 2025-11-10 22:08 – Updated: 2025-11-12 20:13

Summary

The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-611 - Improper Restriction of XML External Entity Reference

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	CycloneDX	cyclonedx-core-java	Affected: >= 2.1.0, <11.0.1

GHSA-6FHJ-VR9J-G45R

Vulnerability from github – Published: 2025-11-10 21:04 – Updated: 2025-11-15 02:46

Summary

CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection

Details

Impact

The XML Validator used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.

The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed parsing of XML BOMs, but not validation.

Patches

The vulnerability has been fixed in cyclonedx-core-java version 11.0.1.

Workarounds

If feasible, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.

References

The issue was introduced via https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
The issue was fixed via https://github.com/CycloneDX/cyclonedx-core-java/pull/737
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.cyclonedx:cyclonedx-core-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "11.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64518"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-10T21:04:03Z",
    "nvd_published_at": "2025-11-10T22:15:40Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe XML [`Validator`](https://docs.oracle.com/javase/8/docs/api/javax/xml/validation/Validator.html) used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection.\n\nThe fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 has been incomplete in that it only fixed *parsing* of XML BOMs, but not *validation*.\n\n### Patches\n\nThe vulnerability has been fixed in cyclonedx-core-java version 11.0.1.\n\n### Workarounds\n\nIf feasible, applications can reject XML documents before handing them to cyclonedx-core-java for validation.\nThis may be an option if incoming CycloneDX BOMs are known to be in JSON format.\n\n### References\n\n* The issue was introduced via https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9\n* The issue was fixed via https://github.com/CycloneDX/cyclonedx-core-java/pull/737\n* https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory",
  "id": "GHSA-6fhj-vr9j-g45r",
  "modified": "2025-11-15T02:46:38Z",
  "published": "2025-11-10T21:04:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection "
}

FKIE_CVE-2025-64518

Vulnerability from fkie_nvd - Published: 2025-11-10 22:15 - Updated: 2025-11-12 16:19

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory
	security-advisories@github.com	https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9
	security-advisories@github.com	https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314
	security-advisories@github.com	https://github.com/CycloneDX/cyclonedx-core-java/pull/737
	security-advisories@github.com	https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML `Validator` used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format."
    },
    {
      "lang": "es",
      "value": "El m\u00f3dulo central de CycloneDX proporciona una representaci\u00f3n de modelo del SBOM junto con utilidades para ayudar en la creaci\u00f3n, validaci\u00f3n y an\u00e1lisis de SBOMs. A partir de la versi\u00f3n 2.1.0 y antes de la versi\u00f3n 11.0.1, el \u0027Validator\u0027 XML utilizado por cyclonedx-core-java no estaba configurado de forma segura, haciendo que la librer\u00eda fuera vulnerable a la inyecci\u00f3n de entidad externa XML (XXE). La correcci\u00f3n para GHSA-683x-4444-jxh8 / CVE-2024-38374 fue incompleta ya que solo corrigi\u00f3 el an\u00e1lisis de los BOMs XML, pero no la validaci\u00f3n. La vulnerabilidad ha sido corregida en la versi\u00f3n 11.0.1 de cyclonedx-core-java. Como soluci\u00f3n alternativa, las aplicaciones pueden rechazar documentos XML antes de entregarlos a cyclonedx-core-java para su validaci\u00f3n. Esto puede ser una opci\u00f3n si se sabe que los BOMs CycloneDX entrantes est\u00e1n en formato JSON."
    }
  ],
  "id": "CVE-2025-64518",
  "lastModified": "2025-11-12T16:19:59.103",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-10T22:15:40.497",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-611"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

RHSA-2025:22622

Vulnerability from csaf_redhat - Published: 2025-12-04 11:30 - Updated: 2025-12-04 16:54

Summary

Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1 release and security update

Notes

Topic

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.

Details

This release of Red Hat build of Quarkus 3.27.1 includes the following CVE fix: * cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.27] (CVE-2025-64518) For more information, see the release notes page listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat build of Quarkus 3.27.1 includes the following CVE fix:\n\n* cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.27] (CVE-2025-64518)\n\nFor more information, see the release notes page listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:22622",
        "url": "https://access.redhat.com/errata/RHSA-2025:22622"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/products/quarkus/",
        "url": "https://access.redhat.com/products/quarkus/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27",
        "url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6260",
        "url": "https://issues.redhat.com/browse/QUARKUS-6260"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6582",
        "url": "https://issues.redhat.com/browse/QUARKUS-6582"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6583",
        "url": "https://issues.redhat.com/browse/QUARKUS-6583"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6640",
        "url": "https://issues.redhat.com/browse/QUARKUS-6640"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6686",
        "url": "https://issues.redhat.com/browse/QUARKUS-6686"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6772",
        "url": "https://issues.redhat.com/browse/QUARKUS-6772"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6836",
        "url": "https://issues.redhat.com/browse/QUARKUS-6836"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6837",
        "url": "https://issues.redhat.com/browse/QUARKUS-6837"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6838",
        "url": "https://issues.redhat.com/browse/QUARKUS-6838"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6839",
        "url": "https://issues.redhat.com/browse/QUARKUS-6839"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6840",
        "url": "https://issues.redhat.com/browse/QUARKUS-6840"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6841",
        "url": "https://issues.redhat.com/browse/QUARKUS-6841"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6842",
        "url": "https://issues.redhat.com/browse/QUARKUS-6842"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6843",
        "url": "https://issues.redhat.com/browse/QUARKUS-6843"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6844",
        "url": "https://issues.redhat.com/browse/QUARKUS-6844"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6845",
        "url": "https://issues.redhat.com/browse/QUARKUS-6845"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6847",
        "url": "https://issues.redhat.com/browse/QUARKUS-6847"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6848",
        "url": "https://issues.redhat.com/browse/QUARKUS-6848"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6849",
        "url": "https://issues.redhat.com/browse/QUARKUS-6849"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6850",
        "url": "https://issues.redhat.com/browse/QUARKUS-6850"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6851",
        "url": "https://issues.redhat.com/browse/QUARKUS-6851"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6852",
        "url": "https://issues.redhat.com/browse/QUARKUS-6852"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6853",
        "url": "https://issues.redhat.com/browse/QUARKUS-6853"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6854",
        "url": "https://issues.redhat.com/browse/QUARKUS-6854"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6855",
        "url": "https://issues.redhat.com/browse/QUARKUS-6855"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6856",
        "url": "https://issues.redhat.com/browse/QUARKUS-6856"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6857",
        "url": "https://issues.redhat.com/browse/QUARKUS-6857"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6858",
        "url": "https://issues.redhat.com/browse/QUARKUS-6858"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6859",
        "url": "https://issues.redhat.com/browse/QUARKUS-6859"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6860",
        "url": "https://issues.redhat.com/browse/QUARKUS-6860"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6861",
        "url": "https://issues.redhat.com/browse/QUARKUS-6861"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6862",
        "url": "https://issues.redhat.com/browse/QUARKUS-6862"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6863",
        "url": "https://issues.redhat.com/browse/QUARKUS-6863"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6864",
        "url": "https://issues.redhat.com/browse/QUARKUS-6864"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6865",
        "url": "https://issues.redhat.com/browse/QUARKUS-6865"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6866",
        "url": "https://issues.redhat.com/browse/QUARKUS-6866"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6867",
        "url": "https://issues.redhat.com/browse/QUARKUS-6867"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6868",
        "url": "https://issues.redhat.com/browse/QUARKUS-6868"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6869",
        "url": "https://issues.redhat.com/browse/QUARKUS-6869"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6870",
        "url": "https://issues.redhat.com/browse/QUARKUS-6870"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6871",
        "url": "https://issues.redhat.com/browse/QUARKUS-6871"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6872",
        "url": "https://issues.redhat.com/browse/QUARKUS-6872"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6873",
        "url": "https://issues.redhat.com/browse/QUARKUS-6873"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6874",
        "url": "https://issues.redhat.com/browse/QUARKUS-6874"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6875",
        "url": "https://issues.redhat.com/browse/QUARKUS-6875"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6883",
        "url": "https://issues.redhat.com/browse/QUARKUS-6883"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6884",
        "url": "https://issues.redhat.com/browse/QUARKUS-6884"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6885",
        "url": "https://issues.redhat.com/browse/QUARKUS-6885"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6886",
        "url": "https://issues.redhat.com/browse/QUARKUS-6886"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6887",
        "url": "https://issues.redhat.com/browse/QUARKUS-6887"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6888",
        "url": "https://issues.redhat.com/browse/QUARKUS-6888"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6889",
        "url": "https://issues.redhat.com/browse/QUARKUS-6889"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6890",
        "url": "https://issues.redhat.com/browse/QUARKUS-6890"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6893",
        "url": "https://issues.redhat.com/browse/QUARKUS-6893"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6894",
        "url": "https://issues.redhat.com/browse/QUARKUS-6894"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6895",
        "url": "https://issues.redhat.com/browse/QUARKUS-6895"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6897",
        "url": "https://issues.redhat.com/browse/QUARKUS-6897"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6898",
        "url": "https://issues.redhat.com/browse/QUARKUS-6898"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6899",
        "url": "https://issues.redhat.com/browse/QUARKUS-6899"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6900",
        "url": "https://issues.redhat.com/browse/QUARKUS-6900"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6902",
        "url": "https://issues.redhat.com/browse/QUARKUS-6902"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6903",
        "url": "https://issues.redhat.com/browse/QUARKUS-6903"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6906",
        "url": "https://issues.redhat.com/browse/QUARKUS-6906"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6909",
        "url": "https://issues.redhat.com/browse/QUARKUS-6909"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6911",
        "url": "https://issues.redhat.com/browse/QUARKUS-6911"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6912",
        "url": "https://issues.redhat.com/browse/QUARKUS-6912"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6913",
        "url": "https://issues.redhat.com/browse/QUARKUS-6913"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6916",
        "url": "https://issues.redhat.com/browse/QUARKUS-6916"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6919",
        "url": "https://issues.redhat.com/browse/QUARKUS-6919"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6920",
        "url": "https://issues.redhat.com/browse/QUARKUS-6920"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6922",
        "url": "https://issues.redhat.com/browse/QUARKUS-6922"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6925",
        "url": "https://issues.redhat.com/browse/QUARKUS-6925"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6927",
        "url": "https://issues.redhat.com/browse/QUARKUS-6927"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6928",
        "url": "https://issues.redhat.com/browse/QUARKUS-6928"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6931",
        "url": "https://issues.redhat.com/browse/QUARKUS-6931"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6932",
        "url": "https://issues.redhat.com/browse/QUARKUS-6932"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6933",
        "url": "https://issues.redhat.com/browse/QUARKUS-6933"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6935",
        "url": "https://issues.redhat.com/browse/QUARKUS-6935"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22622.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1 release and security update",
    "tracking": {
      "current_release_date": "2025-12-04T16:54:49+00:00",
      "generator": {
        "date": "2025-12-04T16:54:49+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.13"
        }
      },
      "id": "RHSA-2025:22622",
      "initial_release_date": "2025-12-04T11:30:16+00:00",
      "revision_history": [
        {
          "date": "2025-12-04T11:30:16+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-12-04T11:30:16+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-12-04T16:54:49+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Quarkus 3.27.1",
                "product": {
                  "name": "Red Hat build of Quarkus 3.27.1",
                  "product_id": "Red Hat build of Quarkus 3.27.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:quarkus:3.27::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Quarkus"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-64518",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2025-11-10T23:01:19.239351+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2413922"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An XML External Entity (XXE) injection vulnerability was found in the CycloneDX Java core library\u2019s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM (XML) is validated, external XML entities can be processed (XXE), allowing an attacker to cause the application to disclose local files or make requests to internal network resources. This can occur when untrusted BOM XML is parsed or validated by the library.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The flaw has been rated High severity, because a remote attacker could craft a malicious CycloneDX SBOM that, when validated by an affected system, may result in disclosure of sensitive information from local files or internal network resources. Exploitation does not require authentication or user interaction, but it depends on the application accepting and processing untrusted CycloneDX XML input, the environments that automatically ingest SBOMs from external or untrusted sources.\n\n~~~\n\nThis issue was introduced in cyclonedx-core-java v2.1.0 via commit https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9.\n\nThis vulnerability is related to, but distinct from, the previously fixed CVE-2024-38374, which addressed a similar XML External Entity (XXE) flaw in the SBOM parsing logic. That earlier fix secured the XML parser but did not cover the separate validation process, leaving this secondary XXE path unprotected. This new CVE closes that remaining gap by securing the XML validator used during schema validation.\n\n~~~\n~~~\n\nFor rhint-camel-spring-boot-4, the impact is assessed as Low.\nThe vulnerable component (cyclonedx-core-java) is part of the build-time plugin (cyclonedx-maven-plugin) used to generate SBOM metadata. That plugin runs only during the build, and is not included, shipped, or executed at runtime in the delivered product. Consequently, the vulnerability does not affect runtime behavior or security of deployed instances, and cannot be exploited in customer environments.\n\n~~~",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.27.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-64518"
        },
        {
          "category": "external",
          "summary": "RHBZ#2413922",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413922"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-64518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-64518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518"
        },
        {
          "category": "external",
          "summary": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory",
          "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r"
        }
      ],
      "release_date": "2025-11-10T22:08:06.229000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-04T11:30:16+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.27.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:22622"
        },
        {
          "category": "workaround",
          "details": "Reject or block XML-formatted BOMs from untrusted sources before handing them to the library (e.g., require BOMs to be JSON or only accept BOMs from trusted origins).",
          "product_ids": [
            "Red Hat build of Quarkus 3.27.1"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.27.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection"
    }
  ]
}

RHSA-2025:22195

Vulnerability from csaf_redhat - Published: 2025-12-01 21:02 - Updated: 2025-12-04 16:54

Summary

Red Hat Security Advisory: Red Hat build of Quarkus 3.20.4 release and security update

Notes

Topic

Details

This release of Red Hat build of Quarkus 3.20.4 includes the following CVE fixes: * cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.20] (CVE-2025-64518) For more information, see the release notes page listed in the References section.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This release of Red Hat build of Quarkus 3.20.4 includes the following CVE fixes:\n\n* cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.20] (CVE-2025-64518)\n\nFor more information, see the release notes page listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:22195",
        "url": "https://access.redhat.com/errata/RHSA-2025:22195"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/products/quarkus/",
        "url": "https://access.redhat.com/products/quarkus/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.20.4"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20",
        "url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.20"
      },
      {
        "category": "external",
        "summary": "QUARKUS-4612",
        "url": "https://issues.redhat.com/browse/QUARKUS-4612"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6820",
        "url": "https://issues.redhat.com/browse/QUARKUS-6820"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6821",
        "url": "https://issues.redhat.com/browse/QUARKUS-6821"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6822",
        "url": "https://issues.redhat.com/browse/QUARKUS-6822"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6823",
        "url": "https://issues.redhat.com/browse/QUARKUS-6823"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6824",
        "url": "https://issues.redhat.com/browse/QUARKUS-6824"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6826",
        "url": "https://issues.redhat.com/browse/QUARKUS-6826"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6829",
        "url": "https://issues.redhat.com/browse/QUARKUS-6829"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6830",
        "url": "https://issues.redhat.com/browse/QUARKUS-6830"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6832",
        "url": "https://issues.redhat.com/browse/QUARKUS-6832"
      },
      {
        "category": "external",
        "summary": "QUARKUS-6833",
        "url": "https://issues.redhat.com/browse/QUARKUS-6833"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22195.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.20.4 release and security update",
    "tracking": {
      "current_release_date": "2025-12-04T16:54:47+00:00",
      "generator": {
        "date": "2025-12-04T16:54:47+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.13"
        }
      },
      "id": "RHSA-2025:22195",
      "initial_release_date": "2025-12-01T21:02:54+00:00",
      "revision_history": [
        {
          "date": "2025-12-01T21:02:54+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-12-01T21:02:54+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-12-04T16:54:47+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Quarkus 3.20.4",
                "product": {
                  "name": "Red Hat build of Quarkus 3.20.4",
                  "product_id": "Red Hat build of Quarkus 3.20.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:quarkus:3.20::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Quarkus"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-64518",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2025-11-10T23:01:19.239351+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2413922"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An XML External Entity (XXE) injection vulnerability was found in the CycloneDX Java core library\u2019s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM (XML) is validated, external XML entities can be processed (XXE), allowing an attacker to cause the application to disclose local files or make requests to internal network resources. This can occur when untrusted BOM XML is parsed or validated by the library.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The flaw has been rated High severity, because a remote attacker could craft a malicious CycloneDX SBOM that, when validated by an affected system, may result in disclosure of sensitive information from local files or internal network resources. Exploitation does not require authentication or user interaction, but it depends on the application accepting and processing untrusted CycloneDX XML input, the environments that automatically ingest SBOMs from external or untrusted sources.\n\n~~~\n\nThis issue was introduced in cyclonedx-core-java v2.1.0 via commit https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9.\n\nThis vulnerability is related to, but distinct from, the previously fixed CVE-2024-38374, which addressed a similar XML External Entity (XXE) flaw in the SBOM parsing logic. That earlier fix secured the XML parser but did not cover the separate validation process, leaving this secondary XXE path unprotected. This new CVE closes that remaining gap by securing the XML validator used during schema validation.\n\n~~~\n~~~\n\nFor rhint-camel-spring-boot-4, the impact is assessed as Low.\nThe vulnerable component (cyclonedx-core-java) is part of the build-time plugin (cyclonedx-maven-plugin) used to generate SBOM metadata. That plugin runs only during the build, and is not included, shipped, or executed at runtime in the delivered product. Consequently, the vulnerability does not affect runtime behavior or security of deployed instances, and cannot be exploited in customer environments.\n\n~~~",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Quarkus 3.20.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-64518"
        },
        {
          "category": "external",
          "summary": "RHBZ#2413922",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413922"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-64518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-64518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518"
        },
        {
          "category": "external",
          "summary": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory",
          "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737"
        },
        {
          "category": "external",
          "summary": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r",
          "url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r"
        }
      ],
      "release_date": "2025-11-10T22:08:06.229000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-12-01T21:02:54+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:22195"
        },
        {
          "category": "workaround",
          "details": "Reject or block XML-formatted BOMs from untrusted sources before handing them to the library (e.g., require BOMs to be JSON or only accept BOMs from trusted origins).",
          "product_ids": [
            "Red Hat build of Quarkus 3.20.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Quarkus 3.20.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-64518 (GCVE-0-2025-64518)

GHSA-6FHJ-VR9J-G45R

Impact

Patches

Workarounds

References

FKIE_CVE-2025-64518

RHSA-2025:22622

RHSA-2025:22195

Tags

Sightings

Nomenclature