CVE-2025-53621: DSpace open source software is a repository application which provides durable access to digital resources. Two related
Summary
DSpace, an open-source application for storing and accessing digital files, has a vulnerability in versions before 7.6.4, 8.2, and 9.1 where it doesn't properly disable XML External Entity (XXE) injection, a technique where attackers embed malicious code in XML files to read sensitive files or steal data from the server). The vulnerability affects both the command-line import tool and the web interface's batch import feature, but only administrators can trigger it by importing archive files.
Solution / Mitigation
The source explicitly states: 'The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions.' For organizations unable to upgrade immediately, the source mentions: 'it is possible to manually patch the DSpace backend' and recommends administrators 'carefully inspect any SAF archives (they did not construct themselves) before importing' and 'affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs.'
Vulnerability Details
6.9(medium)
EPSS: 0.1%
Classification
Taxonomy References
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-53621
First tracked: February 15, 2026 at 08:49 PM
Classified by LLM (prompt v3) · confidence: 72%