RHSA-2025:22622
Vulnerability from csaf_redhat - Published: 2025-12-04 11:30 - Updated: 2026-03-24 13:16Summary
Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1 release and security update
Severity
Important
Notes
Topic: An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details: This release of Red Hat build of Quarkus 3.27.1 includes the following CVE fix:
* cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.27] (CVE-2025-64518)
For more information, see the release notes page listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
An XML External Entity (XXE) injection vulnerability was found in the CycloneDX Java core library’s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM (XML) is validated, external XML entities can be processed (XXE), allowing an attacker to cause the application to disclose local files or make requests to internal network resources. This can occur when untrusted BOM XML is parsed or validated by the library.
7.5 (High)
Vendor Fix
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2025:22622
Workaround
Reject or block XML-formatted BOMs from untrusted sources before handing them to the library (e.g., require BOMs to be JSON or only accept BOMs from trusted origins).
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "This release of Red Hat build of Quarkus 3.27.1 includes the following CVE fix:\n\n* cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection [quarkus-3.27] (CVE-2025-64518)\n\nFor more information, see the release notes page listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:22622",
"url": "https://access.redhat.com/errata/RHSA-2025:22622"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/products/quarkus/",
"url": "https://access.redhat.com/products/quarkus/"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus\u0026downloadType=distributions\u0026version=3.27.1"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27",
"url": "https://docs.redhat.com/en/documentation/red_hat_build_of_quarkus/3.27"
},
{
"category": "external",
"summary": "QUARKUS-6260",
"url": "https://issues.redhat.com/browse/QUARKUS-6260"
},
{
"category": "external",
"summary": "QUARKUS-6582",
"url": "https://issues.redhat.com/browse/QUARKUS-6582"
},
{
"category": "external",
"summary": "QUARKUS-6583",
"url": "https://issues.redhat.com/browse/QUARKUS-6583"
},
{
"category": "external",
"summary": "QUARKUS-6640",
"url": "https://issues.redhat.com/browse/QUARKUS-6640"
},
{
"category": "external",
"summary": "QUARKUS-6686",
"url": "https://issues.redhat.com/browse/QUARKUS-6686"
},
{
"category": "external",
"summary": "QUARKUS-6772",
"url": "https://issues.redhat.com/browse/QUARKUS-6772"
},
{
"category": "external",
"summary": "QUARKUS-6836",
"url": "https://issues.redhat.com/browse/QUARKUS-6836"
},
{
"category": "external",
"summary": "QUARKUS-6837",
"url": "https://issues.redhat.com/browse/QUARKUS-6837"
},
{
"category": "external",
"summary": "QUARKUS-6838",
"url": "https://issues.redhat.com/browse/QUARKUS-6838"
},
{
"category": "external",
"summary": "QUARKUS-6839",
"url": "https://issues.redhat.com/browse/QUARKUS-6839"
},
{
"category": "external",
"summary": "QUARKUS-6840",
"url": "https://issues.redhat.com/browse/QUARKUS-6840"
},
{
"category": "external",
"summary": "QUARKUS-6841",
"url": "https://issues.redhat.com/browse/QUARKUS-6841"
},
{
"category": "external",
"summary": "QUARKUS-6842",
"url": "https://issues.redhat.com/browse/QUARKUS-6842"
},
{
"category": "external",
"summary": "QUARKUS-6843",
"url": "https://issues.redhat.com/browse/QUARKUS-6843"
},
{
"category": "external",
"summary": "QUARKUS-6844",
"url": "https://issues.redhat.com/browse/QUARKUS-6844"
},
{
"category": "external",
"summary": "QUARKUS-6845",
"url": "https://issues.redhat.com/browse/QUARKUS-6845"
},
{
"category": "external",
"summary": "QUARKUS-6847",
"url": "https://issues.redhat.com/browse/QUARKUS-6847"
},
{
"category": "external",
"summary": "QUARKUS-6848",
"url": "https://issues.redhat.com/browse/QUARKUS-6848"
},
{
"category": "external",
"summary": "QUARKUS-6849",
"url": "https://issues.redhat.com/browse/QUARKUS-6849"
},
{
"category": "external",
"summary": "QUARKUS-6850",
"url": "https://issues.redhat.com/browse/QUARKUS-6850"
},
{
"category": "external",
"summary": "QUARKUS-6851",
"url": "https://issues.redhat.com/browse/QUARKUS-6851"
},
{
"category": "external",
"summary": "QUARKUS-6852",
"url": "https://issues.redhat.com/browse/QUARKUS-6852"
},
{
"category": "external",
"summary": "QUARKUS-6853",
"url": "https://issues.redhat.com/browse/QUARKUS-6853"
},
{
"category": "external",
"summary": "QUARKUS-6854",
"url": "https://issues.redhat.com/browse/QUARKUS-6854"
},
{
"category": "external",
"summary": "QUARKUS-6855",
"url": "https://issues.redhat.com/browse/QUARKUS-6855"
},
{
"category": "external",
"summary": "QUARKUS-6856",
"url": "https://issues.redhat.com/browse/QUARKUS-6856"
},
{
"category": "external",
"summary": "QUARKUS-6857",
"url": "https://issues.redhat.com/browse/QUARKUS-6857"
},
{
"category": "external",
"summary": "QUARKUS-6858",
"url": "https://issues.redhat.com/browse/QUARKUS-6858"
},
{
"category": "external",
"summary": "QUARKUS-6859",
"url": "https://issues.redhat.com/browse/QUARKUS-6859"
},
{
"category": "external",
"summary": "QUARKUS-6860",
"url": "https://issues.redhat.com/browse/QUARKUS-6860"
},
{
"category": "external",
"summary": "QUARKUS-6861",
"url": "https://issues.redhat.com/browse/QUARKUS-6861"
},
{
"category": "external",
"summary": "QUARKUS-6862",
"url": "https://issues.redhat.com/browse/QUARKUS-6862"
},
{
"category": "external",
"summary": "QUARKUS-6863",
"url": "https://issues.redhat.com/browse/QUARKUS-6863"
},
{
"category": "external",
"summary": "QUARKUS-6864",
"url": "https://issues.redhat.com/browse/QUARKUS-6864"
},
{
"category": "external",
"summary": "QUARKUS-6865",
"url": "https://issues.redhat.com/browse/QUARKUS-6865"
},
{
"category": "external",
"summary": "QUARKUS-6866",
"url": "https://issues.redhat.com/browse/QUARKUS-6866"
},
{
"category": "external",
"summary": "QUARKUS-6867",
"url": "https://issues.redhat.com/browse/QUARKUS-6867"
},
{
"category": "external",
"summary": "QUARKUS-6868",
"url": "https://issues.redhat.com/browse/QUARKUS-6868"
},
{
"category": "external",
"summary": "QUARKUS-6869",
"url": "https://issues.redhat.com/browse/QUARKUS-6869"
},
{
"category": "external",
"summary": "QUARKUS-6870",
"url": "https://issues.redhat.com/browse/QUARKUS-6870"
},
{
"category": "external",
"summary": "QUARKUS-6871",
"url": "https://issues.redhat.com/browse/QUARKUS-6871"
},
{
"category": "external",
"summary": "QUARKUS-6872",
"url": "https://issues.redhat.com/browse/QUARKUS-6872"
},
{
"category": "external",
"summary": "QUARKUS-6873",
"url": "https://issues.redhat.com/browse/QUARKUS-6873"
},
{
"category": "external",
"summary": "QUARKUS-6874",
"url": "https://issues.redhat.com/browse/QUARKUS-6874"
},
{
"category": "external",
"summary": "QUARKUS-6875",
"url": "https://issues.redhat.com/browse/QUARKUS-6875"
},
{
"category": "external",
"summary": "QUARKUS-6883",
"url": "https://issues.redhat.com/browse/QUARKUS-6883"
},
{
"category": "external",
"summary": "QUARKUS-6884",
"url": "https://issues.redhat.com/browse/QUARKUS-6884"
},
{
"category": "external",
"summary": "QUARKUS-6885",
"url": "https://issues.redhat.com/browse/QUARKUS-6885"
},
{
"category": "external",
"summary": "QUARKUS-6886",
"url": "https://issues.redhat.com/browse/QUARKUS-6886"
},
{
"category": "external",
"summary": "QUARKUS-6887",
"url": "https://issues.redhat.com/browse/QUARKUS-6887"
},
{
"category": "external",
"summary": "QUARKUS-6888",
"url": "https://issues.redhat.com/browse/QUARKUS-6888"
},
{
"category": "external",
"summary": "QUARKUS-6889",
"url": "https://issues.redhat.com/browse/QUARKUS-6889"
},
{
"category": "external",
"summary": "QUARKUS-6890",
"url": "https://issues.redhat.com/browse/QUARKUS-6890"
},
{
"category": "external",
"summary": "QUARKUS-6893",
"url": "https://issues.redhat.com/browse/QUARKUS-6893"
},
{
"category": "external",
"summary": "QUARKUS-6894",
"url": "https://issues.redhat.com/browse/QUARKUS-6894"
},
{
"category": "external",
"summary": "QUARKUS-6895",
"url": "https://issues.redhat.com/browse/QUARKUS-6895"
},
{
"category": "external",
"summary": "QUARKUS-6897",
"url": "https://issues.redhat.com/browse/QUARKUS-6897"
},
{
"category": "external",
"summary": "QUARKUS-6898",
"url": "https://issues.redhat.com/browse/QUARKUS-6898"
},
{
"category": "external",
"summary": "QUARKUS-6899",
"url": "https://issues.redhat.com/browse/QUARKUS-6899"
},
{
"category": "external",
"summary": "QUARKUS-6900",
"url": "https://issues.redhat.com/browse/QUARKUS-6900"
},
{
"category": "external",
"summary": "QUARKUS-6902",
"url": "https://issues.redhat.com/browse/QUARKUS-6902"
},
{
"category": "external",
"summary": "QUARKUS-6903",
"url": "https://issues.redhat.com/browse/QUARKUS-6903"
},
{
"category": "external",
"summary": "QUARKUS-6906",
"url": "https://issues.redhat.com/browse/QUARKUS-6906"
},
{
"category": "external",
"summary": "QUARKUS-6909",
"url": "https://issues.redhat.com/browse/QUARKUS-6909"
},
{
"category": "external",
"summary": "QUARKUS-6911",
"url": "https://issues.redhat.com/browse/QUARKUS-6911"
},
{
"category": "external",
"summary": "QUARKUS-6912",
"url": "https://issues.redhat.com/browse/QUARKUS-6912"
},
{
"category": "external",
"summary": "QUARKUS-6913",
"url": "https://issues.redhat.com/browse/QUARKUS-6913"
},
{
"category": "external",
"summary": "QUARKUS-6916",
"url": "https://issues.redhat.com/browse/QUARKUS-6916"
},
{
"category": "external",
"summary": "QUARKUS-6919",
"url": "https://issues.redhat.com/browse/QUARKUS-6919"
},
{
"category": "external",
"summary": "QUARKUS-6920",
"url": "https://issues.redhat.com/browse/QUARKUS-6920"
},
{
"category": "external",
"summary": "QUARKUS-6922",
"url": "https://issues.redhat.com/browse/QUARKUS-6922"
},
{
"category": "external",
"summary": "QUARKUS-6925",
"url": "https://issues.redhat.com/browse/QUARKUS-6925"
},
{
"category": "external",
"summary": "QUARKUS-6927",
"url": "https://issues.redhat.com/browse/QUARKUS-6927"
},
{
"category": "external",
"summary": "QUARKUS-6928",
"url": "https://issues.redhat.com/browse/QUARKUS-6928"
},
{
"category": "external",
"summary": "QUARKUS-6931",
"url": "https://issues.redhat.com/browse/QUARKUS-6931"
},
{
"category": "external",
"summary": "QUARKUS-6932",
"url": "https://issues.redhat.com/browse/QUARKUS-6932"
},
{
"category": "external",
"summary": "QUARKUS-6933",
"url": "https://issues.redhat.com/browse/QUARKUS-6933"
},
{
"category": "external",
"summary": "QUARKUS-6935",
"url": "https://issues.redhat.com/browse/QUARKUS-6935"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_22622.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Quarkus 3.27.1 release and security update",
"tracking": {
"current_release_date": "2026-03-24T13:16:43+00:00",
"generator": {
"date": "2026-03-24T13:16:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2025:22622",
"initial_release_date": "2025-12-04T11:30:16+00:00",
"revision_history": [
{
"date": "2025-12-04T11:30:16+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-12-04T11:30:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-24T13:16:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Quarkus 3.27.1",
"product": {
"name": "Red Hat build of Quarkus 3.27.1",
"product_id": "Red Hat build of Quarkus 3.27.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quarkus:3.27::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Quarkus"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-64518",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2025-11-10T23:01:19.239351+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2413922"
}
],
"notes": [
{
"category": "description",
"text": "An XML External Entity (XXE) injection vulnerability was found in the CycloneDX Java core library\u2019s XML validation step where the XML Validator was not configured securely. When a specially crafted CycloneDX BOM (XML) is validated, external XML entities can be processed (XXE), allowing an attacker to cause the application to disclose local files or make requests to internal network resources. This can occur when untrusted BOM XML is parsed or validated by the library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The flaw has been rated High severity, because a remote attacker could craft a malicious CycloneDX SBOM that, when validated by an affected system, may result in disclosure of sensitive information from local files or internal network resources. Exploitation does not require authentication or user interaction, but it depends on the application accepting and processing untrusted CycloneDX XML input, the environments that automatically ingest SBOMs from external or untrusted sources.\n\n~~~\n\nThis issue was introduced in cyclonedx-core-java v2.1.0 via commit https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9.\n\nThis vulnerability is related to, but distinct from, the previously fixed CVE-2024-38374, which addressed a similar XML External Entity (XXE) flaw in the SBOM parsing logic. That earlier fix secured the XML parser but did not cover the separate validation process, leaving this secondary XXE path unprotected. This new CVE closes that remaining gap by securing the XML validator used during schema validation.\n\n~~~\n~~~\n\nFor rhint-camel-spring-boot-4, the impact is assessed as Low.\nThe vulnerable component (cyclonedx-core-java) is part of the build-time plugin (cyclonedx-maven-plugin) used to generate SBOM metadata. That plugin runs only during the build, and is not included, shipped, or executed at runtime in the delivered product. Consequently, the vulnerability does not affect runtime behavior or security of deployed instances, and cannot be exploited in customer environments.\n\n~~~",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Quarkus 3.27.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-64518"
},
{
"category": "external",
"summary": "RHBZ#2413922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2413922"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-64518",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64518"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64518"
},
{
"category": "external",
"summary": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory",
"url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory"
},
{
"category": "external",
"summary": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/162aa594f347b3f612fe0a45071693c3cd398ce9"
},
{
"category": "external",
"summary": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/commit/af0ec75c93c03f93733a070c5132554490af5314"
},
{
"category": "external",
"summary": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/pull/737"
},
{
"category": "external",
"summary": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r",
"url": "https://github.com/CycloneDX/cyclonedx-core-java/security/advisories/GHSA-6fhj-vr9j-g45r"
}
],
"release_date": "2025-11-10T22:08:06.229000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-12-04T11:30:16+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat build of Quarkus 3.27.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:22622"
},
{
"category": "workaround",
"details": "Reject or block XML-formatted BOMs from untrusted sources before handing them to the library (e.g., require BOMs to be JSON or only accept BOMs from trusted origins).",
"product_ids": [
"Red Hat build of Quarkus 3.27.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Quarkus 3.27.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cyclonedx-core-java: CycloneDX Core (Java): BOM validation is vulnerable to XML External Entity injection"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…