AVID-2026-R1481

Description

@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability (CVE-2024-34345)

Details

The CycloneDX JavaScript library contains the core functionality of OWASP CycloneDX for JavaScript. In 6.7.0, XML External entity injections were possible, when running the provided XML Validator on arbitrary input. This issue was fixed in version 6.7.1.

Reason for inclusion in AVID: CVE-2024-34345 describes an XML External Entity (XXE) vulnerability in the CycloneDX JavaScript library (cyclonedx-javascript-library), affecting version 6.7.0 and fixed in 6.7.1. The issue arises during XML validation where external entities can be processed, enabling potential data disclosure or other impacts. While the vulnerability is not AI-specific, CycloneDX is a widely used software supply-chain tooling library for generating SBOMs and managing dependencies, which AI systems rely on in their software supply chains (build, package, deploy, run). Therefore, this is a software supply-chain vulnerability that could affect AI pipelines and deployments if the tool is used within those stacks. The CVE description, CVSS details (high severity, network attack vector, no privileges required), and references provide sufficient evidence for inclusion.

References

• NVD entry
• https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7
• https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063
• https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203

Affected or Relevant Artifacts

• Developer: CycloneDX
• Deployer: CycloneDX
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-05-09
• Version: 0.3.3
• AVID Entry