SECURITY NOTICE: All DSpace versions are vulnerable to XXE and Path Traversal attacks via Simple Archive Format (SAF) imports (moderate severity)

[DSpace Developers]

All,

Two DSpace security advisories have been released that impact all DSpace versions.

CVE-2025-53621 : XML External Entity (XXE) injection possible in import via Simple Archive Format (SAF) or import from external sources.

• Severity: Moderate (6.9 out of 10.0 using CVSSv3)
• Affected Versions: <= 7.6.3, 8.0 <= 8.1, 9.0  (includes unsupported releases 1.x - 6.x)
• Patched Versions: 7.6.4, 8.2, 9.1
• Reported by: Pablo Picurelli Ortiz (@superpegaso2703)
• Patches for 7.x, 8.x and 9.x are available in the security advisory for sites that cannot upgrade immediately.

To exploit this XXE vulnerability, the attacker must have administrator privileges or convince an existing administrator to import a malicious SAF archive into DSpace. 

Importing via external source (from MyDSpace or Submission form) is also vulnerable to XXE for four external sources: ArXiv, CrossRef, OpenAIRE and Creative Commons. However, the likelihood of this attack is very low because it would require the external source’s API to be compromised such that it sends DSpace a malicious payload in response. Nonetheless, if you distrust any of these services, you should consider disabling that external source until you are able to patch or upgrade your site.

CVE-2025-53622 : Path traversal vulnerability in Simple Archive Format (SAF) package import via “contents” file.

• Severity: Moderate (5.2 out of 10.0 using CVSSv3)
• Affected Versions: <= 7.6.3, 8.0 <= 8.1, 9.0  (includes unsupported releases 1.x - 6.x)
• Patched Versions: 7.6.4, 8.2, 9.1
• Reported by: Marcin Miłosz (@MMilosz) of PCG Academia
• Patches for 7.x, 8.x and 9.x are available in the security advisory for sites that cannot upgrade immediately.

Similar to the above vulnerability, the attacker must have administrator privileges or convince an existing administrator to import a malicious SAF archive into DSpace. The key difference is that this attack occurs via a malicious “contents” file within the SAF archive.

We recommend that all DSpace sites immediately apply patches or upgrade.  While both of these vulnerabilities require administrative privileges, these attacks may be difficult for an administrator to manually detect in larger Simple Archive Format (SAF) packages.

Until you upgrade or patch your site, we highly recommend avoiding importing any untrusted Simple Archive Format (SAF) packages. These SAF packages are imported via either the “./dspace import” command line tool, or the “Import -> Batch Import (ZIP)” tool in the Admin User Interface. Both methods of importing these packages are vulnerable to these attacks.

If you have any questions about these security advisories, please email secu...@dspace.org. This email address sends a private email to all DSpace Committers.

Sincerely,

Tim Donohue, on behalf of the DSpace Committers