2.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66372

CVE-2025-66372: Mustangproject allows exfiltrating files via XXE attacks

Mustang before 2.16.3 allows exfiltrating files via XXE attacks.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66372

CVE-2025-66372:

2.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.mustangproject:library	maven	< 2.16.3	2.16.3
org.mustangproject:validator	maven	< 2.16.3	2.16.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in multiple locations across the mustangproject codebase where XML parsing is performed without proper security configurations. The identified functions all use javax.xml.parsers.DocumentBuilderFactory to create an XML parser. However, they failed to disable the processing of external entities, which is the root cause of the XML External Entity (XXE) vulnerability (CWE-611). An attacker could supply a specially crafted XML document containing external entity references to local files on the server. When the application parses this XML, it would resolve these entities and embed the content of the files into the XML data, which could then be returned in an error message or another part of the application's output, leading to information disclosure. The patch addresses this by explicitly setting features on the DocumentBuilderFactory instance to disable DTDs and external entities, such as setExpandEntityReferences(false), setFeature("http://apache.org/xml/features/disallow-doctype-decl", true), and setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true).

Vulnerable functions

org.mustangproject.ZUGFeRD.ZUGFeRDInvoiceImporter.setDocument

library/src/main/java/org/mustangproject/ZUGFeRD/ZUGFeRDInvoiceImporter.java

The function `setDocument` in `ZUGFeRDInvoiceImporter` was vulnerable to XXE because it used a `DocumentBuilderFactory` to parse an XML file without disabling external entity processing. An attacker could provide a specially crafted XML file to exfiltrate local files.

org.mustangproject.ZUGFeRD.ZUGFeRDVisualizer.findOutStandardFromRootNode

library/src/main/java/org/mustangproject/ZUGFeRD/ZUGFeRDVisualizer.java

The function `findOutStandardFromRootNode` in `ZUGFeRDVisualizer` was vulnerable to XXE because it used a `DocumentBuilderFactory` to parse an XML input stream without disabling external entity processing. This function is called by other public methods in the class, and an attacker could exploit this by providing a malicious XML file.

org.mustangproject.validator.XMLValidator.validate

validator/src/main/java/org/mustangproject/validator/XMLValidator.java

The `validate` function in `XMLValidator` was vulnerable to XXE. It parsed an XML string using a `DocumentBuilderFactory` without secure settings, allowing external entities to be processed. This could be exploited by a malicious user to read arbitrary files from the server.

org.mustangproject.validator.ZUGFeRDValidator.internalValidate

validator/src/main/java/org/mustangproject/validator/ZUGFeRDValidator.java

The `internalValidate` function in `ZUGFeRDValidator` was vulnerable to XXE attacks. It instantiated a `DocumentBuilderFactory` to parse an XML input stream without disabling features that allow for external entity resolution, making it possible to exfiltrate files from the system.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66372: Mustangproject allows exfiltrating files via XXE attacks

CVE-2025-66372:

2.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-66372: Mustangproject allows exfiltrating files via XXE attacks

2.8

2.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI