CVE-2025-4641: Critical XXE Vulnerability in WebDriverManager

Overview

A critical vulnerability identified as CVE-2025-4641 has been discovered in WebDriverManager, an open-source Java library by bonigarcia widely used to automate the management of WebDriver binaries in Selenium-based projects. This issue affects versions from 1.0.0 up to but not including 6.0.2 across Windows, MacOS, and Linux platforms.

Vulnerability Details

The vulnerability is categorized as an Improper Restriction of XML External Entity Reference (CWE-611), commonly known as an XXE Injection. It allows attackers to exploit XML parsing components in the affected modules, potentially triggering uncontrolled external entity resolution.

Specifically, the vulnerability resides in the file WebDriverManager.java, where XML inputs are processed without adequately restricting external entities. This can result in the exposure of sensitive information, denial of service (billion laughs attack), or interaction with internal systems.

Technical Breakdown

• CVSS v4.0 Base Score: 9.3 (Critical)
• Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Impact: High Availability and Confidentiality, Low Integrity

Impacts and Exploitation

This vulnerability enables attackers to send malicious XML payloads to the system, potentially causing:

• Denial of service via entity expansion attacks
• Disclosure of internal file contents or environment variables
• Interaction with internal systems behind firewalls

According to CAPEC-221, this class of vulnerability involves Data Serialization External Entities Blowup.

Affected Versions

All versions of webdrivermanager from 1.0.0 up to 6.0.1 are affected. The vulnerability is patched in version 6.0.2.

Mitigation and Recommendations

• Upgrade to WebDriverManager version 6.0.2 or later.
• Review XML processing configurations and disable external entity processing explicitly.
• Conduct code audits for custom XML parsers in your Java environment.
• Apply defense-in-depth practices such as input validation and access controls.

Conclusion

CVE-2025-4641 highlights the persistent risks of insecure XML parsing. Development teams should stay vigilant when handling structured data formats like XML and ensure that secure parser configurations are enforced by default. For more technical insights, refer to the related GitHub pull request.