CVE-2025-24910 in Pentaho Business Analytics Server
Summary
by MITRE • 04/17/2025
Overview
XML documents optionally contain a Document Type Definition (DTD), which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the application that is processing the XML. This application may echo back the data (e.g. in an error message), thereby exposing the file contents. (CWE-611)
Description
Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.2, including 9.3.x and 8.3.x, do not correctly protect Pentaho Data Integration MessageSourceCrawler against out-of-band XML External Entity Reference.
Impact
By submitting an XML file that defines an external entity with a file:// URI, an attacker can cause the processing application to read the contents of a local file. Using URIs with other schemes such as http://, the attacker can force the application to make outgoing requests to servers that the attacker cannot reach directly, which can be used to bypass firewall restrictions or hide the source of attacks such as port scanning.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability identified as CVE-2025-24910 represents a critical security flaw in Hitachi Vantara Pentaho Business Analytics Server affecting versions prior to 10.2.0.2 including the 9.3.x and 8.3.x release lines. This vulnerability stems from inadequate protection mechanisms within the Pentaho Data Integration MessageSourceCrawler component, which fails to properly sanitize XML document inputs containing Document Type Definitions. The core issue manifests when XML documents include external entity declarations that reference local files through file:// URIs or other network protocols, creating a pathway for unauthorized data access and network reconnaissance activities.
The technical implementation of this vulnerability leverages XML External Entity (XXE) processing mechanisms where the application accepts XML input without proper validation of entity declarations. When a malicious XML document contains a DTD with external entity definitions pointing to local file paths, the processing application attempts to resolve these references by reading the specified files and incorporating their contents back into the application context. This behavior directly maps to CWE-611, which categorizes improper restriction of XML external entity references as a significant security weakness. The vulnerability allows attackers to exploit the application's XML parsing functionality to access sensitive local files that should remain protected from unauthorized access.
The operational impact of this vulnerability extends beyond simple data exfiltration to encompass broader network reconnaissance capabilities. Attackers can leverage the file:// URI scheme to read arbitrary local files on the server, potentially accessing configuration files, database credentials, or other sensitive information stored within the application's file system. Additionally, the vulnerability enables attackers to use HTTP-based URIs to force the application into making outbound network requests, effectively bypassing firewall restrictions and creating a covert channel for network scanning activities. This capability allows adversaries to perform port scanning operations against internal networks that would normally be inaccessible from the application's external-facing interface, making this vulnerability particularly dangerous in enterprise environments where network segmentation is critical.
Organizations utilizing affected Pentaho versions should immediately implement mitigation strategies focusing on input validation and XML processing restrictions. The primary recommendation involves configuring the application to disable external entity resolution entirely within XML parsers, preventing the processing of DTD declarations that could lead to out-of-band resource access. Security measures should include implementing proper XML schema validation, restricting file system access permissions for the application, and deploying network monitoring solutions to detect unusual outbound traffic patterns that may indicate exploitation attempts. According to ATT&CK framework category T1190, this vulnerability aligns with the technique of exploiting XML external entity references, while the broader implications relate to privilege escalation and data exfiltration tactics that attackers can employ through this vector. The vulnerability demonstrates the critical importance of proper XML security controls in enterprise applications, particularly those handling user-supplied data inputs, and underscores the necessity of regular security updates and vulnerability assessments to maintain robust security postures against evolving threats.