CVE-2025-63917

Exploit

EPSS 0.1%
Veröffentlicht 17.11.2025 00:00:00
Zuletzt bearbeitet 08.01.2026 17:27:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cnblogs ≫ Pdfpatcher Version <= 1.1.3.4663

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.269

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://www.cnblogs.com/pdfpatcher

Product

https://github.com/wmjordan/PDFPatcher

Product

https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/XXE-Importers.md

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-63917

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-63917

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-63917

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-63917