Common Weakness Enumeration

CWE-776

Allowed

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Abstraction: Base · Status: Draft

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

142 vulnerabilities reference this CWE, most recent first.

GHSA-QC7W-4567-84WV

Vulnerability from github – Published: 2024-06-07 20:30 – Updated: 2024-06-07 20:30
VLAI
Summary
Zendframework vulnerable to XXE/XEE attacks
Details

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

  • XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
  • XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T20:30:06Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
  "id": "GHSA-qc7w-4567-84wv",
  "modified": "2024-06-07T20:30:06Z",
  "published": "2024-06-07T20:30:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/225a8c9f1c3bc08c0bddf22486a8a39ff7186ac1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/5dab7b8e77741dbba56209616b7815bb04f4c561"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/68d0756c596baeefad0b733b42ef2657d09c7f4e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/bbcf41e676ef6d8f16ea9d6499050bca0787eb6c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/ee7f81cc996fb1c16c7dae23eca9ec013ab74730"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zendframework/commit/fbeba98d5a9924b026a5dd98f679143fd6be89ea"
    },
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zendframework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zendframework vulnerable to XXE/XEE attacks"
}

GHSA-QPMC-WPRV-X746

Vulnerability from github – Published: 2022-04-12 21:31 – Updated: 2022-04-12 21:31
VLAI
Summary
Inline DTD allows XML bomb attack
Details

The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "sweet_xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-15160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-12T21:31:26Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.",
  "id": "GHSA-qpmc-wprv-x746",
  "modified": "2022-04-12T21:31:26Z",
  "published": "2022-04-12T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kbrw/sweet_xml/issues/71"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kbrw/sweet_xml"
    },
    {
      "type": "WEB",
      "url": "https://hex.pm/packages/sweet_xml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Inline DTD allows XML bomb attack"
}

GHSA-QW4H-3XJJ-84CC

Vulnerability from github – Published: 2023-12-01 00:31 – Updated: 2025-11-04 18:12
VLAI
Summary
Apache Tiles: Unvalidated input may lead to path traversal and XXE
Details

The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.

This issue affects Apache Tiles from version 2 onwards.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tiles:tiles-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts-tiles"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "last_affected": "1.3.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "struts:struts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1"
            },
            {
              "last_affected": "1.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49735"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-11T21:45:42Z",
    "nvd_published_at": "2023-11-30T22:15:09Z",
    "severity": "HIGH"
  },
  "details": "The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the \u0027tiles-test\u0027 application shipped with Tiles.\n\nThis issue affects Apache Tiles from version 2 onwards.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-qw4h-3xjj-84cc",
  "modified": "2025-11-04T18:12:32Z",
  "published": "2023-12-01T00:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49735"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tiles"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Tiles: Unvalidated input may lead to path traversal and XXE"
}

GHSA-R3XG-RG9J-67FV

Vulnerability from github – Published: 2026-06-03 21:13 – Updated: 2026-06-03 21:13
VLAI
Summary
Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend
Details

Impact

The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space - Unbounded archive extraction consuming system resources

An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.

Patches

Fixed in version 2.91.0. The fix implements: - Secure XML parsing with resolve_entities=False, load_dtd=False, and no_network=True - Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count - Cumulative size tracking across all extractions - Early termination when limits are exceeded - Secure format detection of METS-GBS tar archives with _detect_mets_gbs() method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded

Workarounds

Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "docling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.45.0"
            },
            {
              "fixed": "2.91.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-409",
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:13:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe METS-GBS backend\u0027s XML parsing and the input document format detection lacked security controls, enabling:\n- XML External Entity (XXE) attacks to read local files or cause denial of service\n- Decompression bombs (zip bombs) to exhaust memory and disk space\n- Unbounded archive extraction consuming system resources\n\nAn attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.\n\n### Patches\nFixed in version 2.91.0. The fix implements:\n- Secure XML parsing with `resolve_entities=False`, `load_dtd=False`, and `no_network=True`\n- Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count\n- Cumulative size tracking across all extractions\n- Early termination when limits are exceeded\n- Secure format detection of METS-GBS tar archives with `_detect_mets_gbs()` method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded\n\n### Workarounds\nAvoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.\n\n### References\n- Fix release: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0)",
  "id": "GHSA-r3xg-rg9j-67fv",
  "modified": "2026-06-03T21:13:33Z",
  "published": "2026-06-03T21:13:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/docling-project/docling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docling-project/docling/releases/tag/v2.91.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend"
}

GHSA-R777-X2JC-XGC6

Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31
VLAI
Details

An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25186"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-22T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.",
  "id": "GHSA-r777-x2jc-xgc6",
  "modified": "2022-05-24T17:31:58Z",
  "published": "2022-05-24T17:31:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25186"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-238-03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RFHM-XWGJ-V2Q9

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26
VLAI
Details

Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24052"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-21T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.",
  "id": "GHSA-rfhm-xwgj-v2q9",
  "modified": "2022-05-24T17:26:19Z",
  "published": "2022-05-24T17:26:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24052"
    },
    {
      "type": "WEB",
      "url": "https://ioac.tv/3hy1xu6"
    },
    {
      "type": "WEB",
      "url": "https://ioactive.com/moog-exo-series-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RPCF-XW9J-7C7J

Vulnerability from github – Published: 2022-05-17 01:59 – Updated: 2024-02-02 15:30
VLAI
Details

jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-1755"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-06-21T02:52:00Z",
    "severity": "MODERATE"
  },
  "details": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
  "id": "GHSA-rpcf-xw9j-7c7j",
  "modified": "2024-02-02T15:30:27Z",
  "published": "2022-05-17T01:59:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67770"
    },
    {
      "type": "WEB",
      "url": "https://hermes.opensuse.org/messages/9197650"
    },
    {
      "type": "WEB",
      "url": "http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/44787"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/44957"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/45112"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT5002"
    },
    {
      "type": "WEB",
      "url": "http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html"
    },
    {
      "type": "WEB",
      "url": "http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0881.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0882.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/48250"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RPRC-6FR2-45V9

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09
VLAI
Details

An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9354"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-23T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.",
  "id": "GHSA-rprc-6fr2-45v9",
  "modified": "2022-05-24T17:09:30Z",
  "published": "2022-05-24T17:09:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9354"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2020/Feb/18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RVWF-54QP-4R6V

Vulnerability from github – Published: 2021-06-04 21:37 – Updated: 2022-08-11 21:47
VLAI
Summary
SnakeYAML Entity Expansion during load operation
Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.yaml:snakeyaml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-18640"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-04T21:34:16Z",
    "nvd_published_at": "2019-12-12T03:15:00Z",
    "severity": "HIGH"
  },
  "details": "The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.",
  "id": "GHSA-rvwf-54qp-4r6v",
  "modified": "2022-08-11T21:47:32Z",
  "published": "2021-06-04T21:37:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5@%3Ccommon-commits.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d@%3Ccommon-dev.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2@%3Cpr.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95@%3Ccommits.servicecomb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b@%3Cdev.phoenix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "PACKAGE",
      "url": "https://bitbucket.org/asomov/snakeyaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a@%3Ccommits.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5@%3Ccommon-commits.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263@%3Ccommon-commits.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6"
    },
    {
      "type": "WEB",
      "url": "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202305-28"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/asomov/snakeyaml/wiki/Changes"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/377"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457@%3Ccommits.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8@%3Ccommon-commits.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854@%3Ccommits.pulsar.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e@%3Cdev.phoenix.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14@%3Ccommits.servicecomb.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422@%3Cdev.atlas.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25@%3Ccommits.cassandra.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda@%3Ccommon-issues.hadoop.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea@%3Ccommits.pulsar.apache.org%3E"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SnakeYAML Entity Expansion during load operation"
}

GHSA-VMWR-MC7X-5VC3

Vulnerability from github – Published: 2024-08-22 16:40 – Updated: 2025-11-03 22:47
VLAI
Summary
REXML denial of service vulnerability
Details

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

  • https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rexml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-43398"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-22T16:40:46Z",
    "nvd_published_at": "2024-08-22T15:15:16Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the vulnerability.\n\n### Workarounds\n\nDon\u0027t parse untrusted XMLs with tree parser API.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org",
  "id": "GHSA-vmwr-mc7x-5vc3",
  "modified": "2025-11-03T22:47:47Z",
  "published": "2024-08-22T16:40:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43398"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ruby/rexml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ruby/rexml/releases/tag/v3.3.6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20250103-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "REXML denial of service vulnerability"
}

Mitigation
Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Mitigation
Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CAPEC-197: Exponential Data Expansion

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.