Biopython Bio.Entrez CVE-2025-68463
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
1Blast Radius
ecosystem impact- 17 pypi packages depend on biopython (16 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.86.
DescriptionCVE.org
Bio.Entrez in Biopython through 186 allows doctype XXE.
AnalysisAI
Biopython's Bio.Entrez module through version 1.86 is vulnerable to XML external entity (XXE) injection in doctype parsing, allowing authenticated remote attackers to read arbitrary files or cause denial of service. The vulnerability requires authenticated access and high attack complexity, resulting in a CVSS score of 4.9 with low confidentiality and availability impact across trust boundaries. Exploitation is not currently tracked in CISA KEV and has extremely low EPSS probability (0.07%, 20th percentile), indicating limited real-world risk despite the XXE vector.
Technical ContextAI
Bio.Entrez is a Biopython module for querying NCBI Entrez databases via HTTP requests and parsing XML responses. The vulnerability stems from improper handling of DOCTYPE declarations in XML parsing (CWE-611: Improper Restriction of XML External Entity Reference). When Bio.Entrez processes XML responses from Entrez servers or user-supplied XML input, it does not adequately restrict external entity resolution in the XML parser, allowing DOCTYPE-based XXE attacks. The attack requires an authenticated context and high complexity (likely requiring specific XML structure or NCBI service conditions), limiting practical exploitability compared to traditional XXE vulnerabilities.
Affected ProductsAI
Biopython Bio.Entrez module through version 1.86 is affected. The vulnerability is fixed in Biopython 1.87 and later. Installation via PyPI can be verified at pypi.org/project/biopython, with affected CPE covering biopython product versions up to and including 1.86.
RemediationAI
Upgrade Biopython to version 1.87 or later immediately via pip install --upgrade biopython. No workarounds are documented for users unable to upgrade. For development environments, verify the fix commit (736c96f37b190732ecca9da80ad0cb9d4967214d) has been applied if building from source. Restrict Bio.Entrez module usage to trusted NCBI endpoints only; if parsing XML from external sources, implement input validation and disable DOCTYPE processing at the parser level (if supported by the underlying XML library). Organizations should prioritize patching in systems where Bio.Entrez directly processes user-controlled XML input.
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today