oss-sec mailing list archives

Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component

From: Hanno Böck <hanno () hboeck de>
Date: Mon, 12 Jan 2026 12:13:53 +0100

Looking through recent mails on this list with XXE in the toppic, I see:

* XXE in Apache Struts due to insecure defaults in Java's standard
  library: CVE-2025-68493
* XXE in Apache SIS due to insecure defaults in Java's standard
  library: CVE-2025-68280
* XXE in Apache Tika due to insecure defaults in Java's standard
  library: CVE-2025-54988, CVE-2025-66516
* XXE in Apache Jackrabbit due to insecure defaults in Java's standard
  library: CVE-2025-53689
* XXE in Apache Ambari due to insecure defaults in Java's standard
  library: CVE-2025-23195
* XXE in Apache XML Graphics FOP due to insecure defaults in Java's
  standard library: CVE-2024-28168
* XXE in Apache Drill due to insecure defaults in Java's standard
  library: CVE-2023-48362

Also recently: my research on prevalent XXEs in electronic invoicing
software, largely due to insecure defaults in Java and Saxon (which is
based on Java): https://invoice.secvuln.info/

I'm sensing a pattern here. Maybe Apache should audit all their uses of
Apache's XML standard library. And, maybe, having insecure defaults in
Java's standard library is not so great.

-- 
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/

Current thread:

CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Lukasz Lenart (Jan 11)
- Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Hanno Böck (Jan 12)
  - Re: CVE-2025-68493: Apache Struts: XXE vulnerability in outdated XWork component Loganaden Velvindron (Jan 12)