Description
Bio.Entrez in Biopython through 186 allows doctype XXE.
Published: 2025-12-18
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits XML External Entity processing in Bio.Entrez up to revision 186, such that an attacker who supplies a crafted XML document could exploit the entity resolution feature. This weakness may allow the disclosure of information that the process can access, including potentially sensitive files or data, without providing direct code execution or denial of service. The effect depends on how the library interacts with external sources.

Affected Systems

The flaw affects the Biopython library (vendor Biopython, product Biopython). All released versions through revision 186 are impacted; later revisions are not covered by the description. The library is typically used in Python environments that parse XML with Bio.Entrez, so any deployment of Biopython in such contexts is potentially exposed.

Risk and Exploitability

The CVSS base score of 4.9 indicates moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious XML document through code that invokes Bio.Entrez, so the attack vector is application‑level data input rather than a pure network or remote code execution vector. Given the limited exploitation scope and low EPSS, the overall risk to systems using unpatched Biopython is moderate, yet timely remediation is advised.

Generated by OpenCVE AI on May 2, 2026 at 00:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Biopython to a version that contains the XXE fix (any release after revision 186; consult the project’s changelog for details).
  • If an upgrade is not immediately possible, reconfigure the XML parser used by Bio.Entrez to disable external entity resolution, if the library exposes that setting.
  • Validate or sanitize any XML input before passing it to Bio.Entrez functions to prevent malicious XML from being processed.
  • Run processes that load Biopython with the least privileges and restrict file read permissions to mitigate potential data leaks.

Generated by OpenCVE AI on May 2, 2026 at 00:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x3vf-39hj-gxr4 Biopython is vulnerable to doctype XML external entity (XXE) injection through Bio.Entrez
History

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
References

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Biopython
Biopython biopython
Vendors & Products Biopython
Biopython biopython

Fri, 19 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
Title python-biopython: python-biopython: Information disclosure via XML External Entity (XXE) vulnerability in Bio.Entrez
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 18 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 06:00:00 +0000

Type Values Removed Values Added
Description Bio.Entrez in Biopython through 186 allows doctype XXE.
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L'}

Subscriptions

Biopython Biopython
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T18:28:47.889Z

Reserved: 2025-12-18T05:40:36.580Z

Link: CVE-2025-68463

cve-icon Vulnrichment

Updated: 2026-05-08T18:28:47.889Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T06:15:50.177

Modified: 2026-05-08T19:16:27.697

Link: CVE-2025-68463

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-18T05:40:36Z

Links: CVE-2025-68463 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses