Vulnerable Library - cyclonedx-core-java-9.0.2.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://github.com/CycloneDX/cyclonedx-core-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cyclonedx/cyclonedx-core-java/9.0.2/cyclonedx-core-java-9.0.2.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-64518
Vulnerable Library - cyclonedx-core-java-9.0.2.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://github.com/CycloneDX/cyclonedx-core-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cyclonedx/cyclonedx-core-java/9.0.2/cyclonedx-core-java-9.0.2.jar
Dependency Hierarchy:
- ❌ cyclonedx-core-java-9.0.2.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML "Validator" used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
Publish Date: 2025-11-10
URL: CVE-2025-64518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-11-10
Fix Resolution: https://github.com/CycloneDX/cyclonedx-core-java.git - cyclonedx-core-java-11.0.1
Step up your Open Source Security Game with Mend here
CVE-2024-38374
Vulnerable Library - cyclonedx-core-java-9.0.2.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://github.com/CycloneDX/cyclonedx-core-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cyclonedx/cyclonedx-core-java/9.0.2/cyclonedx-core-java-9.0.2.jar
Dependency Hierarchy:
- ❌ cyclonedx-core-java-9.0.2.jar (Vulnerable Library)
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The "DocumentBuilderFactory" used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-06-28
URL: CVE-2024-38374
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-683x-4444-jxh8
Release Date: 2024-06-28
Fix Resolution: org.cyclonedx:cyclonedx-core-java:9.0.4
Step up your Open Source Security Game with Mend here
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://github.com/CycloneDX/cyclonedx-core-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cyclonedx/cyclonedx-core-java/9.0.2/cyclonedx-core-java-9.0.2.jar
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - cyclonedx-core-java-9.0.2.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://github.com/CycloneDX/cyclonedx-core-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cyclonedx/cyclonedx-core-java/9.0.2/cyclonedx-core-java-9.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Starting in version 2.1.0 and prior to version 11.0.1, the XML "Validator" used by cyclonedx-core-java was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. The fix for GHSA-683x-4444-jxh8 / CVE-2024-38374 was incomplete in that it only fixed parsing of XML BOMs, but not validation. The vulnerability has been fixed in cyclonedx-core-java version 11.0.1. As a workaround, applications can reject XML documents before handing them to cyclonedx-core-java for validation. This may be an option if incoming CycloneDX BOMs are known to be in JSON format.
Publish Date: 2025-11-10
URL: CVE-2025-64518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-11-10
Fix Resolution: https://github.com/CycloneDX/cyclonedx-core-java.git - cyclonedx-core-java-11.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - cyclonedx-core-java-9.0.2.jar
The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.
Library home page: https://github.com/CycloneDX/cyclonedx-core-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/cyclonedx/cyclonedx-core-java/9.0.2/cyclonedx-core-java-9.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 21c100d3b0fee337e9a99e3a324b449f35be9262
Found in base branch: master
Vulnerability Details
The CycloneDX core module provides a model representation of the SBOM along with utilities to assist in creating, validating, and parsing SBOMs. Before deserializing CycloneDX Bill of Materials in XML format, cyclonedx-core-java leverages XPath expressions to determine the schema version of the BOM. The "DocumentBuilderFactory" used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. This vulnerability has been fixed in cyclonedx-core-java version 9.0.4.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-06-28
URL: CVE-2024-38374
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-683x-4444-jxh8
Release Date: 2024-06-28
Fix Resolution: org.cyclonedx:cyclonedx-core-java:9.0.4
Step up your Open Source Security Game with Mend here