CVE-2025-65482 (XXE) in XDocReport Vulnerability Overview Type: XML External Entity Injection (XXE) Severity: High Impact: Sensitive data leakage, service disruption, data theft, etc. Affected Component Component: - XDocReport (versions <= 2.0.3) Root Cause Analysis XDocReport relies on Apache POI to process .docx documents. Apache POI uses SAXParser, which by default does not disable DTD processing or external entity resolution, leading to XXE vulnerability. Exploitation Steps 1. Unpack the .docx file, modify , and insert external entity references. 2. Repackage the .docx file and upload it to the server. 3. When the server processes the .docx file, it triggers the parsing of external entities. Scope of Impact Attackers can access external resources or read local files by crafting malicious XML entity references. Remediation Disable DTD processing in , e.g., by setting . Use secure XML processing libraries or upgrade XDocReport to a version that fixes this issue. ``` Key Information Summary: CVE ID: CVE-2025-65482 Vulnerability Type: XXE (XML External Entity Injection) Affected Component: XDocReport's .docx file processing logic Root Cause: Apache POI used by XDocReport does not disable DTD processing, leading to XXE vulnerability Remediation Recommendation: Disable DTD functionality in XML parsers or upgrade XDocReport to a patched version