CVE-2025-4641 - Vulnerability Details - OpenCVE

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.0.2.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

No data.

No data.

No data.

References

Link	Providers
https://github.com/bonigarcia/webdrivermanager/pull/1458

History

Wed, 14 May 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 14 May 2025 18:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.0.2.
Title		XML External Entity (XXE) injection vulnerability in WebDriverManager
Weaknesses		CWE-611
References		https://github.com/bonigarcia/webdrivermanager/pull/1458
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published: 2025-05-14T18:09:26.105Z

Updated: 2025-05-14T20:49:57.890Z

Reserved: 2025-05-13T02:36:29.519Z

Link: CVE-2025-4641

Vulnrichment

Updated: 2025-05-14T20:49:55.420Z

NVD

Status : Awaiting Analysis

Published: 2025-05-14T19:15:53.683

Modified: 2025-05-16T14:43:26.160

Link: CVE-2025-4641

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4641", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2025-05-13T02:36:29.519Z", "datePublished": "2025-05-14T18:09:26.105Z", "dateUpdated": "2025-05-14T20:49:57.890Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://mvnrepository.com/artifact/io.github.bonigarcia/webdrivermanager", "defaultStatus": "affected", "modules": ["XML parsing components"], "packageName": "WebDriverManager", "platforms": ["Windows", "MacOS", "Linux"], "product": "webdrivermanager", "programFiles": ["src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java"], "repo": "https://github.com/bonigarcia/webdrivermanager", "vendor": "bonigarcia", "versions": [{"lessThan": "6.0.2", "status": "affected", "version": "1.0.0", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "finder", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup.<p> This vulnerability is associated with program files <tt>src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java</tt>.</p><p>This issue affects webdrivermanager: from 1.0.0 before 6.0.2.</p>"}], "value": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.\n\nThis issue affects webdrivermanager: from 1.0.0 before 6.0.2."}], "impacts": [{"capecId": "CAPEC-221", "descriptions": [{"lang": "en", "value": "CAPEC-221 Data Serialization External Entities Blowup"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2025-05-14T18:09:26.105Z"}, "references": [{"url": "https://github.com/bonigarcia/webdrivermanager/pull/1458"}], "source": {"discovery": "UNKNOWN"}, "title": "XML External Entity (XXE) injection vulnerability in WebDriverManager", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T20:49:52.243488Z", "id": "CVE-2025-4641", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T20:49:57.890Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-4641", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-14T20:49:52.243488Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T20:49:55.420Z"}}], "cna": {"title": "XML External Entity (XXE) injection vulnerability in WebDriverManager", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "TITAN Team (titancaproject@gmail.com)"}], "impacts": [{"capecId": "CAPEC-221", "descriptions": [{"lang": "en", "value": "CAPEC-221 Data Serialization External Entities Blowup"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/bonigarcia/webdrivermanager", "vendor": "bonigarcia", "modules": ["XML parsing components"], "product": "webdrivermanager", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "6.0.2", "versionType": "maven"}], "platforms": ["Windows", "MacOS", "Linux"], "packageName": "WebDriverManager", "programFiles": ["src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java"], "collectionURL": "https://mvnrepository.com/artifact/io.github.bonigarcia/webdrivermanager", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/bonigarcia/webdrivermanager/pull/1458"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.\n\nThis issue affects webdrivermanager: from 1.0.0 before 6.0.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup.<p> This vulnerability is associated with program files <tt>src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java</tt>.</p><p>This issue affects webdrivermanager: from 1.0.0 before 6.0.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2025-05-14T18:09:26.105Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4641", "state": "PUBLISHED", "dateUpdated": "2025-05-14T20:49:57.890Z", "dateReserved": "2025-05-13T02:36:29.519Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2025-05-14T18:09:26.105Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager WebDriverManager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.\n\nThis issue affects webdrivermanager: from 1.0.0 before 6.0.2."}, {"lang": "es", "value": "Vulnerabilidad de restricci\u00f3n incorrecta de referencias a entidades externas XML en bonigarcia webdrivermanager. WebDriverManager en Windows, macOS y Linux (m\u00f3dulos de componentes de an\u00e1lisis XML) permite la expansi\u00f3n de entidades externas por serializaci\u00f3n de datos. Esta vulnerabilidad est\u00e1 asociada a los archivos de programa src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. Este problema afecta a webdrivermanager desde la versi\u00f3n 1.0.0 hasta la 6.0.2."}], "id": "CVE-2025-4641", "lastModified": "2025-05-16T14:43:26.160", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2025-05-14T19:15:53.683", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/bonigarcia/webdrivermanager/pull/1458"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}