CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-53621: DSpace vulnerable to XML External Entity (XXE) injection in import via Simple Archive Format (SAF) or import from external sources

6.9 CVSS

Description

DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions. For those who ...

Classification

CVE ID: CVE-2025-53621

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:L

Problem Types

CWE-611: Improper Restriction of XML External Entity Reference

Affected Products

Vendor: DSpace

Product: DSpace

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-53621
https://github.com/DSpace/DSpace/security/advisories/GHSA-jjwr-5cfh-7xwh
https://github.com/DSpace/DSpace/pull/11032
https://github.com/DSpace/DSpace/pull/11032.patch
https://github.com/DSpace/DSpace/pull/11034
https://github.com/DSpace/DSpace/pull/11034.patch
https://github.com/DSpace/DSpace/pull/11035
https://github.com/DSpace/DSpace/pull/11035.patch

Timeline

2025-07-15 15:40:13 UTC
CVE

DSpace vulnerable to XML External Entity (XXE) injection in import via Simple Archive Format (SAF) or import from external sources
2025-07-15 19:15:26 UTC
Github Advisory Database (Maven)

[org.dspace:dspace-api] DSpace is vulnerable to XML External Entity injection during archive imports