Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1691 vulnerabilities reference this CWE, most recent first.

GHSA-RPVM-9QG3-RJH7

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-07T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.",
  "id": "GHSA-rpvm-9qg3-rjh7",
  "modified": "2022-05-24T19:16:59Z",
  "published": "2022-05-24T19:16:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41770"
    },
    {
      "type": "WEB",
      "url": "https://docs.pingidentity.com/bundle/pingfederate-103/page/ruz1628492711606.html"
    },
    {
      "type": "WEB",
      "url": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RQ9X-WHV9-7J63

Vulnerability from github – Published: 2022-05-13 01:17 – Updated: 2022-05-13 01:17
VLAI
Details

A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70616.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-0218"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-03-08T07:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web-based user interface of the Cisco Secure Access Control Server prior to 5.8 patch 9 could allow an unauthenticated, remote attacker to gain read access to certain information in the affected system. The vulnerability is due to improper handling of XML External Entities (XXEs) when parsing an XML file. An attacker could exploit this vulnerability by convincing the administrator of an affected system to import a crafted XML file. Cisco Bug IDs: CSCve70616.",
  "id": "GHSA-rq9x-whv9-7j63",
  "modified": "2022-05-13T01:17:28Z",
  "published": "2022-05-13T01:17:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0218"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103345"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040470"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RQFH-9R24-8C9R

Vulnerability from github – Published: 2026-01-26 21:31 – Updated: 2026-01-29 03:24
VLAI
Summary
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.27.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.assertj:assertj-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "3.27.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T21:31:41Z",
    "nvd_published_at": "2026-01-26T23:16:08Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values.\n\nAn application is vulnerable only when it uses untrusted XML input with one of the following methods:\n\n- `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert`\n- `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`\n\n### Impact\n\nIf untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:\n\n- **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files)\n- **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs\n- **Cause Denial of Service** via \"Billion Laughs\" entity expansion attacks\n\n### Mitigation\n\n`isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:\n\n1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or\n2. Upgrade to version 3.27.7, or\n3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input.\n\n`XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.\n\n### References\n\n- [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html)\n- [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)",
  "id": "GHSA-rqfh-9r24-8c9r",
  "modified": "2026-01-29T03:24:21Z",
  "published": "2026-01-26T21:31:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24400"
    },
    {
      "type": "WEB",
      "url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/assertj/assertj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion"
}

GHSA-RR3F-MHHR-6WV3

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFile'] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey&surveyId= URI.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26564"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-31T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have \u003c!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey[\u0027importFile\u0027] URI. The XXE can then be triggered at a admin/preview.do?action=previewSurvey\u0026surveyId= URI.",
  "id": "GHSA-rr3f-mhhr-6wv3",
  "modified": "2022-05-24T19:09:28Z",
  "published": "2022-05-24T19:09:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26564"
    },
    {
      "type": "WEB",
      "url": "https://packetstormsecurity.com/files/163707/ObjectPlanet-Opinio-7.13-7.14-XML-Injection.html"
    },
    {
      "type": "WEB",
      "url": "https://www.objectplanet.com/opinio/changelog.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RR59-H6RH-V84V

Vulnerability from github – Published: 2024-04-09 12:30 – Updated: 2024-05-02 14:45
VLAI
Summary
Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE
Details

Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

For more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.zeppelin:sap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-47894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-09T16:23:54Z",
    "nvd_published_at": "2024-04-09T10:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Improper Input Validation vulnerability in Apache Zeppelin SAP. This issue affects Apache Zeppelin SAP: from 0.8.0 before 0.11.0.\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nFor more information, the fix already was merged in the source code but Zeppelin decided to retire the SAP component\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-rr59-h6rh-v84v",
  "modified": "2024-05-02T14:45:20Z",
  "published": "2024-04-09T12:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/zeppelin/pull/4302"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/zeppelin/commit/bea51d1467d6103bd8fd68d6a27b14f954d98ec6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/zeppelin"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/ZEPPELIN-5665"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/csf4k73kkn3nx58pm0p2qrylbox4fvyy"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/04/09/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Zeppelin SAP: connecting to a malicious SAP server allowed it to perform XXE"
}

GHSA-RRH8-365P-PW96

Vulnerability from github – Published: 2022-05-17 02:41 – Updated: 2022-05-17 02:41
VLAI
Details

IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-0254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-07T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Business Intelligence 10.1 and 10.2 is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service. IBM X-Force ID: 110563.",
  "id": "GHSA-rrh8-365p-pw96",
  "modified": "2022-05-17T02:41:25Z",
  "published": "2022-05-17T02:41:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0254"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/110563"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22004036"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/98971"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVQQ-FWFF-P2V4

Vulnerability from github – Published: 2022-12-18 06:31 – Updated: 2022-12-22 18:30
VLAI
Details

An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-18T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XML external entity (XXE) injection vulnerability in XML-RPC.NET before 2.5.0 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, as demonstrated by a pingback.aspx POST request.",
  "id": "GHSA-rvqq-fwff-p2v4",
  "modified": "2022-12-22T18:30:25Z",
  "published": "2022-12-18T06:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47514"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jumpycastle/xmlrpc.net-poc"
    },
    {
      "type": "WEB",
      "url": "https://papercutsoftware.github.io/XML-RPC.NET/download.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVRV-6XRW-V985

Vulnerability from github – Published: 2023-08-04 21:30 – Updated: 2023-08-04 21:30
VLAI
Details

A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-04T21:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system.\n The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.",
  "id": "GHSA-rvrv-6xrw-v985",
  "modified": "2023-08-04T21:30:44Z",
  "published": "2023-08-04T21:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26064"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-vmanx2-KpFVSUc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWG2-W82X-V57J

Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-11-30 20:49
VLAI
Summary
XML External Entity Reference vulnerability in Jenkins Pipeline: Phoenix AutoTest Plugin
Details

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control the input files for the readXml or writeXml build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.surenpi.jenkins:phoenix-autotest"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-28155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-30T20:49:11Z",
    "nvd_published_at": "2022-03-29T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.\nThis allows attackers able to control the input files for the `readXml` or `writeXml` build step to have Jenkins parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-rwg2-w82x-v57j",
  "modified": "2022-11-30T20:49:11Z",
  "published": "2022-03-30T00:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28155"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/phoenix-autotest-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-03-29/#SECURITY-1897"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/03/29/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference vulnerability in Jenkins Pipeline: Phoenix AutoTest Plugin"
}

GHSA-RWPC-FVP2-P5WP

Vulnerability from github – Published: 2025-07-08 21:30 – Updated: 2025-07-08 21:30
VLAI
Details

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49539"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T21:15:26Z",
    "severity": "MODERATE"
  },
  "details": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference (\u0027XXE\u0027) vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses.",
  "id": "GHSA-rwpc-fvp2-p5wp",
  "modified": "2025-07-08T21:30:28Z",
  "published": "2025-07-08T21:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49539"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.