Home > Vulnerability Database > CVE-2025-63917

Mend.io Vulnerability Database

CVE-2025-63917

Good to know:

Date: November 16, 2025

PDFPatcher thru 1.1.3.4663 executable's XML bookmark import functionality does not restrict XML external entity (XXE) references. The application uses .NET's XmlDocument class without disabling external entity resolution, enabling attackers to: Read arbitrary files from the victim's filesystem, exfiltrate sensitive data via out-of-band (OOB) HTTP requests, perform SSRF attacks against internal network resources, or cause a denial of service via entity expansion attacks.

Severity Score

7.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-63917

Url: https://www.cnblogs.com/pdfpatcher

Url: https://github.com/cydtseng/Vulnerability-Research/blob/main/pdfpatcher/XXE-Importers.md

Url: https://github.com/wmjordan/PDFPatcher

Url: https://www.mend.io/vulnerability-database/CVE-2025-63917

Severity Score

7.1

Weakness Type (CWE)

Improper Restriction of XML External Entity Reference

CWE-611

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-63917

Good to know:

Date: November 16, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?