cyclonedx-core-java-9.0.0.jar: 2 vulnerabilities (highest severity is: 7.5) #8
Description
Vulnerable Library - cyclonedx-core-java-9.0.0.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://owasp.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (cyclonedx-core-java version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-64518 |  High |
7.5 | Not Defined | 0.1% | cyclonedx-core-java-9.0.0.jar | Direct | https://github.com/CycloneDX/cyclonedx-core-java.git - cyclonedx-core-java-11.0.1 | ✅ | |
| CVE-2024-38374 | High |
7.5 | Not Defined | 0.1% | cyclonedx-core-java-9.0.0.jar | Direct | N/A | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-64518
Vulnerable Library - cyclonedx-core-java-9.0.0.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://owasp.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ cyclonedx-core-java-9.0.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML "Validator" used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
Publish Date: 2025-11-10
URL: CVE-2025-64518
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-10
Fix Resolution: https://github.com/CycloneDX/cyclonedx-core-java.git - cyclonedx-core-java-11.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-38374
Vulnerable Library - cyclonedx-core-java-9.0.0.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://owasp.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ cyclonedx-core-java-9.0.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The "DocumentBuilderFactory" used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-06-28
URL: CVE-2024-38374
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
⛑️Automatic Remediation will be attempted for this issue.