CVE-2024-34345

HIGH

CycloneDX <6.7.0 - XML Injection

Title source: llm

Description

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

References (3)

[Vendor Advisory] https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

[Issue Tracking] https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063

[Patch] https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203

View Patch ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0008

EPSS Percentile 23.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-611

Status published

Products (2)

CycloneDX/cyclonedx-javascript-library = 6.7.0

cyclonedx/cyclonedx-library 6.7.0 - 6.7.1npm

Published May 14, 2024

Tracked Since Feb 18, 2026