CVE-2025-63917 - XXE Injection in PDFPatcher Description: PDFPatcher versions through 1.1.3.4663 are vulnerable to XML External Entity (XXE) injection in its XML bookmark import functionality. This allows attackers to read arbitrary files, exfiltrate data through out-of-band HTTP requests, perform SSRF attacks, or cause a denial of service. Affected Component: Files: , , Application Version: Before 1.1.3.4663 Impact: Information disclosure (arbitrary file read) Data exfiltration through out-of-band channels Server-Side Request Forgery (SSRF) Denial of Service (DoS) via entity expansion Potential privilege escalation through information gathering Type of Vulnerability: CVE-611: Improper Restriction of XML External Entity Reference Steps to Reproduce / PoC: 1. Create a malicious DTD file ( ). 2. Host the DTD on an HTTP server. 3. Create a malicious XML bookmark file ( ). 4. Import the malicious XML file into PDFPatcher. Root Cause: The application uses class without disabling external entity resolution, allowing XXE attacks. Mitigation Recommendations: Disable External Entities in . Use a safe XML parser like with secure settings. Validate XML input before processing. Run with least privileges. Implement content security and whitelisting.