Skip to main content

Biopython Bio.Entrez CVE-2025-68463

MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2025-12-18 cve@mitre.org
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 00:14 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 pypi packages depend on biopython (16 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.86.

DescriptionCVE.org

Bio.Entrez in Biopython through 186 allows doctype XXE.

AnalysisAI

Biopython's Bio.Entrez module through version 1.86 is vulnerable to XML external entity (XXE) injection in doctype parsing, allowing authenticated remote attackers to read arbitrary files or cause denial of service. The vulnerability requires authenticated access and high attack complexity, resulting in a CVSS score of 4.9 with low confidentiality and availability impact across trust boundaries. Exploitation is not currently tracked in CISA KEV and has extremely low EPSS probability (0.07%, 20th percentile), indicating limited real-world risk despite the XXE vector.

Technical ContextAI

Bio.Entrez is a Biopython module for querying NCBI Entrez databases via HTTP requests and parsing XML responses. The vulnerability stems from improper handling of DOCTYPE declarations in XML parsing (CWE-611: Improper Restriction of XML External Entity Reference). When Bio.Entrez processes XML responses from Entrez servers or user-supplied XML input, it does not adequately restrict external entity resolution in the XML parser, allowing DOCTYPE-based XXE attacks. The attack requires an authenticated context and high complexity (likely requiring specific XML structure or NCBI service conditions), limiting practical exploitability compared to traditional XXE vulnerabilities.

Affected ProductsAI

Biopython Bio.Entrez module through version 1.86 is affected. The vulnerability is fixed in Biopython 1.87 and later. Installation via PyPI can be verified at pypi.org/project/biopython, with affected CPE covering biopython product versions up to and including 1.86.

RemediationAI

Upgrade Biopython to version 1.87 or later immediately via pip install --upgrade biopython. No workarounds are documented for users unable to upgrade. For development environments, verify the fix commit (736c96f37b190732ecca9da80ad0cb9d4967214d) has been applied if building from source. Restrict Bio.Entrez module usage to trusted NCBI endpoints only; if parsing XML from external sources, implement input validation and disable DOCTYPE processing at the parser level (if supported by the underlying XML library). Organizations should prioritize patching in systems where Bio.Entrez directly processes user-controlled XML input.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2025-68463 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy