CVE-2025-53621 — MEDIUM (CVSS 6.9) AI Security Vulnerability

CISO Take

Upgrade DSpace to 7.6.4, 8.2, or 9.1 immediately. This XXE flaw allows a malicious SAF archive — or a poisoned XML response from ArXiv, Crossref, or OpenAIRE — to exfiltrate arbitrary server files (credentials, configs) when an admin triggers an import. Research institutions managing AI training datasets or model artifacts in DSpace are the primary target; a compromised upstream XML provider requires no social engineering of the admin at all.

Risk Assessment

Medium in isolation, elevated in AI research environments. Exploitability is constrained by the high-privilege prerequisite (site admin), but the two attack paths differ significantly in difficulty: the SAF archive vector requires social engineering, while the upstream XML provider vector (ArXiv, Crossref, OpenAIRE) could fire during routine metadata imports with no abnormal admin action. The CVSS Scope:Changed and Confidentiality:High scores reflect cross-boundary server file disclosure potential. DSpace deployments holding AI training datasets, proprietary research, or infrastructure credentials warrant priority patching.

Severity & Risk

CVSS 3.1

6.9 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 23% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR High

UI Required

S Changed

C High

I None

A Low

Recommended Action

5 steps

PATCH

Upgrade to DSpace 7.6.4, 8.2, or 9.1. Manual backend patch available for those who cannot upgrade immediately.
DISABLE

Temporarily disable ArXiv, Crossref, OpenAIRE, and Creative Commons import integrations until patched — these are the passive attack vector.
INSPECT

Do not import any SAF archive not self-constructed; treat all externally sourced archives as untrusted.
NETWORK CONTROLS

Implement egress filtering on the DSpace/Tomcat server to block unexpected outbound connections.
DETECT

Monitor Tomcat for anomalous outbound connections and file reads outside the DSpace data directory. Review import logs for external entity references (DOCTYPE declarations in uploaded XML).

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Supply Chain API Training Data AML.T0010.002 - Data AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 10 - Data and data governance

ISO 42001

A.6.2 - Data for AI systems — data collection and quality A.9.3 - Use of AI tools and third-party AI services

NIST AI RMF

MANAGE 2.4 - Mechanisms for managing AI risks MAP 2.3 - AI system risk identification and classification

OWASP LLM Top 10

LLM03 - Training Data Poisoning

Frequently Asked Questions

What is CVE-2025-53621?

Upgrade DSpace to 7.6.4, 8.2, or 9.1 immediately. This XXE flaw allows a malicious SAF archive — or a poisoned XML response from ArXiv, Crossref, or OpenAIRE — to exfiltrate arbitrary server files (credentials, configs) when an admin triggers an import. Research institutions managing AI training datasets or model artifacts in DSpace are the primary target; a compromised upstream XML provider requires no social engineering of the admin at all.

Is CVE-2025-53621 actively exploited?

No confirmed active exploitation of CVE-2025-53621 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-53621?

1. PATCH: Upgrade to DSpace 7.6.4, 8.2, or 9.1. Manual backend patch available for those who cannot upgrade immediately. 2. DISABLE: Temporarily disable ArXiv, Crossref, OpenAIRE, and Creative Commons import integrations until patched — these are the passive attack vector. 3. INSPECT: Do not import any SAF archive not self-constructed; treat all externally sourced archives as untrusted. 4. NETWORK CONTROLS: Implement egress filtering on the DSpace/Tomcat server to block unexpected outbound connections. 5. DETECT: Monitor Tomcat for anomalous outbound connections and file reads outside the DSpace data directory. Review import logs for external entity references (DOCTYPE declarations in uploaded XML).

What systems are affected by CVE-2025-53621?

This vulnerability affects the following AI/ML architecture patterns: research data repositories, AI training data ingestion pipelines, scientific paper metadata systems, institutional AI artifact management.

What is the CVSS score for CVE-2025-53621?

CVE-2025-53621 has a CVSS v3.1 base score of 6.9 (MEDIUM). The EPSS exploitation probability is 0.08%.

Technical Details

NVD Description

DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. One may also apply some best practices, though the protection provided is not as complete as upgrading. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. As necessary, affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs.

Exploitation Scenario

An attacker targeting a university AI research center submits a dataset contribution as a SAF Zip archive to the DSpace administrator, embedded with an XXE payload in the dublin_core.xml descriptor. The payload points to an attacker-controlled server. When the admin runs Batch Import via the UI, Tomcat resolves the external entity — confirming exploitation — then a second stage payload retrieves /opt/dspace/config/dspace.cfg (containing database credentials and mail server config). In the passive variant, an adversary with MITM capability on the institution's connection to ArXiv's XML API injects a malicious DOCTYPE into a metadata response, triggering XXE during a routine import workflow with no admin interaction beyond normal operations.