CVE-2025-54992

OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e
https://github.com/telstra/open-kilda/pull/5778
https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7

Configurations

No configuration.

History

12 Aug 2025, 14:25

Type	Values Removed	Values Added
Summary		(es) OpenKilda es un controlador OpenFlow de código abierto. Antes de la versión 1.164.0, se detectó una vulnerabilidad de inyección de entidades externas XML (XXE) en OpenKilda que, en combinación con GHSL-2025-024, permite a atacantes no autenticados extraer información de la instancia donde se ejecuta la interfaz de usuario de OpenKilda. Este problema puede provocar la divulgación de información. Este problema se ha corregido en la versión 1.164.0.

11 Aug 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-11 22:15

Updated : 2025-08-12 14:25

NVD link : CVE-2025-54992

Mitre link : CVE-2025-54992

CVE.ORG link : CVE-2025-54992

JSON object : View

Products Affected

No product.

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2025-54992", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-11T22:15:27.693", "references": [{"url": "https://github.com/telstra/open-kilda/commit/1eddb4983a6287d083e3e99a56dc4c291abd347e", "source": "security-advisories@github.com"}, {"url": "https://github.com/telstra/open-kilda/pull/5778", "source": "security-advisories@github.com"}, {"url": "https://github.com/telstra/open-kilda/security/advisories/GHSA-43rg-6r66-6hr7", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0."}, {"lang": "es", "value": "OpenKilda es un controlador OpenFlow de c\u00f3digo abierto. Antes de la versi\u00f3n 1.164.0, se detect\u00f3 una vulnerabilidad de inyecci\u00f3n de entidades externas XML (XXE) en OpenKilda que, en combinaci\u00f3n con GHSL-2025-024, permite a atacantes no autenticados extraer informaci\u00f3n de la instancia donde se ejecuta la interfaz de usuario de OpenKilda. Este problema puede provocar la divulgaci\u00f3n de informaci\u00f3n. Este problema se ha corregido en la versi\u00f3n 1.164.0."}], "lastModified": "2025-08-12T14:25:33.177", "sourceIdentifier": "security-advisories@github.com"}