CWE-611
AllowedImproper Restriction of XML External Entity Reference
Abstraction: Base · Status: Draft
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
1691 vulnerabilities reference this CWE, most recent first.
GHSA-PRGJ-F78P-GH4P
Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.
{
"affected": [],
"aliases": [
"CVE-2017-1103"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-10T14:29:00Z",
"severity": "HIGH"
},
"details": "IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.",
"id": "GHSA-prgj-f78p-gh4p",
"modified": "2022-05-17T02:45:41Z",
"published": "2022-05-17T02:45:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1103"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22002429"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PV39-QP28-4MGH
Vulnerability from github – Published: 2022-03-26 00:00 – Updated: 2022-04-12 16:40Soa-model is a toolkit and Java API for WSDL, WADL and XML Schema. An XML External Entity (XXE) vulnerability exists in versions of soa-model prior to 1.6.4 in the WSDLParser function. This issue has been fixed in version 1.6.4.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.predic8:soa-model-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "com.predic8:soa-model-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43090"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-30T15:05:12Z",
"nvd_published_at": "2022-03-25T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Soa-model is a toolkit and Java API for WSDL, WADL and XML Schema. An XML External Entity (XXE) vulnerability exists in versions of soa-model prior to 1.6.4 in the WSDLParser function. This issue has been fixed in version 1.6.4.",
"id": "GHSA-pv39-qp28-4mgh",
"modified": "2022-04-12T16:40:09Z",
"published": "2022-03-26T00:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43090"
},
{
"type": "WEB",
"url": "https://github.com/membrane/soa-model/issues/281"
},
{
"type": "WEB",
"url": "https://github.com/membrane/soa-model/commit/19de16902468e7963cc4dc6b544574bc1ea3f251"
},
{
"type": "WEB",
"url": "https://github.com/membrane/soa-model/commit/3aa295f155f621d5ea661cb9a0604013fc8fd8ff"
},
{
"type": "PACKAGE",
"url": "https://github.com/membrane/soa-model"
},
{
"type": "WEB",
"url": "https://github.com/membrane/soa-model/releases/tag/v1.6.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Restriction of XML External Entity Reference in soa-model"
}
GHSA-PVF4-HR84-4G6R
Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-24 06:30Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.
{
"affected": [],
"aliases": [
"CVE-2022-46300"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-21T23:15:00Z",
"severity": "MODERATE"
},
"details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
"id": "GHSA-pvf4-hr84-4g6r",
"modified": "2023-03-24T06:30:16Z",
"published": "2023-03-22T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46300"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PVXF-5HXJ-54CH
Vulnerability from github – Published: 2022-05-17 02:12 – Updated: 2022-05-17 02:12XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.
{
"affected": [],
"aliases": [
"CVE-2010-2245"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-08T21:29:00Z",
"severity": "HIGH"
},
"details": "XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.",
"id": "GHSA-pvxf-5hxj-54ch",
"modified": "2022-05-17T02:12:13Z",
"published": "2022-05-17T02:12:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2245"
},
{
"type": "WEB",
"url": "https://svn.apache.org/repos/asf/wink/trunk/security/CVE-2010-2245.pdf"
},
{
"type": "WEB",
"url": "http://marc.info/?l=wink-user\u0026m=127843482925387\u0026w=2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PW7G-J3C6-JJPP
Vulnerability from github – Published: 2025-02-19 18:32 – Updated: 2025-02-19 18:32IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0
is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
{
"affected": [],
"aliases": [
"CVE-2023-47160"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-19T17:15:13Z",
"severity": "HIGH"
},
"details": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\n\n\nis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
"id": "GHSA-pw7g-j3c6-jjpp",
"modified": "2025-02-19T18:32:23Z",
"published": "2025-02-19T18:32:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47160"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7183597"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PW95-88FG-3J6F
Vulnerability from github – Published: 2025-05-05 20:40 – Updated: 2025-05-05 22:07Summary
A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.
Details
XMLToolMessage uses lxml without safeguards:
https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52
lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default.
Check here: https://pypi.org/project/defusedxml/#python-xml-libraries
PoC
A typical Quadratic blowup XML payload looks like this:
<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<bomb>&c;</bomb>
Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.
Fix
Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.
https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langroid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.53.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46726"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-05T20:40:44Z",
"nvd_published_at": "2025-05-05T20:15:21Z",
"severity": "HIGH"
},
"details": "### Summary\nA LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.\n\n### Details\n`XMLToolMessage` uses `lxml` without safeguards:\nhttps://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52\n`lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. \nCheck here: https://pypi.org/project/defusedxml/#python-xml-libraries\n\n### PoC\nA typical Quadratic blowup XML payload looks like this:\n```xml\n\u003c!DOCTYPE bomb [\n\u003c!ENTITY a \"aaaaaaaaaa\"\u003e\n\u003c!ENTITY b \"\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\"\u003e\n\u003c!ENTITY c \"\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\"\u003e\n]\u003e\n\u003cbomb\u003e\u0026c;\u003c/bomb\u003e\n```\nHere, \u0026a; expands to 10 characters, \u0026b; expands to 100, and \u0026c; expands to 1000, causing exponential memory usage and potentially crashing the application.\n \n### Fix\nLangroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.\nhttps://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3",
"id": "GHSA-pw95-88fg-3j6f",
"modified": "2025-05-05T22:07:30Z",
"published": "2025-05-05T20:40:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46726"
},
{
"type": "WEB",
"url": "https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3"
},
{
"type": "PACKAGE",
"url": "https://github.com/langroid/langroid"
},
{
"type": "WEB",
"url": "https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Langroid Allows XXE Injection via XMLToolMessage"
}
GHSA-PWM3-776C-8Q7Q
Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-15 17:28Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.
This issue affects webdrivermanager: from 1.0.0 before 6.1.0.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.github.bonigarcia:webdrivermanager"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "6.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-4641"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-15T17:27:58Z",
"nvd_published_at": "2025-05-14T19:15:53Z",
"severity": "CRITICAL"
},
"details": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.\n\nThis issue affects webdrivermanager: from 1.0.0 before 6.1.0.",
"id": "GHSA-pwm3-776c-8q7q",
"modified": "2025-05-15T17:28:16Z",
"published": "2025-05-14T21:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4641"
},
{
"type": "WEB",
"url": "https://github.com/bonigarcia/webdrivermanager/pull/1458"
},
{
"type": "PACKAGE",
"url": "https://github.com/bonigarcia/webdrivermanager"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H",
"type": "CVSS_V4"
}
],
"summary": "BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference"
}
GHSA-PXHP-JR2P-7HW7
Vulnerability from github – Published: 2023-01-15 09:30 – Updated: 2025-04-08 21:31BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE; 2.x versions are no longer supported. There is no available information about whether any later version is affected.
{
"affected": [],
"aliases": [
"CVE-2023-23595"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-15T07:15:00Z",
"severity": "HIGH"
},
"details": "BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as \"machine example.com login daniel password qwerty\" in the documentation example for the .netrc file format. NOTE; 2.x versions are no longer supported. There is no available information about whether any later version is affected.",
"id": "GHSA-pxhp-jr2p-7hw7",
"modified": "2025-04-08T21:31:28Z",
"published": "2023-01-15T09:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23595"
},
{
"type": "WEB",
"url": "https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp"
},
{
"type": "WEB",
"url": "https://everything.curl.dev/usingcurl/netrc"
},
{
"type": "WEB",
"url": "https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PXM4-R5PH-Q2M2
Vulnerability from github – Published: 2024-12-02 17:25 – Updated: 2024-12-13 20:39Summary
When loading an (untrusted) XML document, for example the SAMLResponse, it's possible to induce an XXE.
$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41 including the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.
While there is the NONET option, an attacker can simply bypass if by using PHP filters: php://filter/convert.base64-encode/resource=http://URL OR FILE
From there an attacker can induce network connections and steal the targeted file OOB (haven't fully tested this).
RCE may be possible with the php://expect or php://phar wrappers, but this hasn't been tested.
Note: The mitigation here: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69 Comes too late, as the XML has already been loaded into a document. Mitigation:
Remove the LIBXML_DTDLOAD | LIBXML_DTDATTR options. Additionally, as a defense in depth measure, check if there is the string: <!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: <! DOCTYPE)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/saml2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "simplesamlphp/saml2-legacy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-52806"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-02T17:25:43Z",
"nvd_published_at": "2024-12-02T17:15:12Z",
"severity": "MODERATE"
},
"details": "Summary\n\nWhen loading an (untrusted) XML document, for example the SAMLResponse, it\u0027s possible to induce an XXE.\n\n$options is defined as: https://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L41\nincluding the DTDLoad option, which allows an attacker to read file contents from local file system OR internal network.\n\nWhile there is the NONET option, an attacker can simply bypass if by using PHP filters:\nphp://filter/convert.base64-encode/resource=http://URL OR FILE\n\nFrom there an attacker can induce network connections and steal the targeted file OOB (haven\u0027t fully tested this).\n\nRCE may be possible with the php://expect or php://phar wrappers, but this hasn\u0027t been tested.\n\nNote:\nThe mitigation here:\nhttps://github.com/simplesamlphp/saml2/blob/717c0adc4877ebd58428637e5626345e59fa0109/src/SAML2/DOMDocumentFactory.php#L63-L69\nComes too late, as the XML has already been loaded into a document.\nMitigation:\n\nRemove the LIBXML_DTDLOAD | LIBXML_DTDATTR options.\nAdditionally, as a defense in depth measure, check if there is the string: \u003c!DOCTYPE inside the XML before parsing it. (This is not a complete fix because someone may be able to exploit some parser differentials, to load a DOCTYPE, maybe through spacing like: \u003c! DOCTYPE)",
"id": "GHSA-pxm4-r5ph-q2m2",
"modified": "2024-12-13T20:39:57Z",
"published": "2024-12-02T17:25:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/saml2/security/advisories/GHSA-pxm4-r5ph-q2m2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52806"
},
{
"type": "WEB",
"url": "https://github.com/simplesamlphp/saml2/commit/5fd4ce4596656fb0c1278f15b8305825412e89f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/simplesamlphp/saml2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "SimpleSAMLphp SAML2 has an XXE in parsing SAML messages"
}
GHSA-Q25X-FW47-2XVM
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.
{
"affected": [],
"aliases": [
"CVE-2018-1844"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-12T11:29:00Z",
"severity": "HIGH"
},
"details": "IBM FileNet Content Manager 5.2.1 and 5.5.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150904.",
"id": "GHSA-q25x-fw47-2xvm",
"modified": "2022-05-13T01:32:34Z",
"published": "2022-05-13T01:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1844"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/150904"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10732755"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Many XML parsers and validators can be configured to disable external entity expansion.
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.