Weakness reference
CWE-611

Improper Restriction of XML External Entity Reference

XML External Entity XXE injection occurs when an application parses untrusted XML input without disabling external entity resolution. An attacker can craft…

01Summary

XML External Entity (XXE) injection occurs when an application parses untrusted XML input without disabling external entity resolution. An attacker can craft malicious XML that references external files or network resources, leading to information disclosure, denial of service, or server-side request forgery. This weakness is particularly dangerous because XML parsing is often considered a "safe" operation, yet it can expose sensitive files like configuration data or credentials.

02How It Happens

XML allows documents to reference external entities—other files or network resources—via DOCTYPE declarations and entity definitions. When an XML parser is configured with its default settings, it will attempt to resolve these references by reading local files or making network requests on behalf of the application. If the application accepts XML input from an untrusted source (a user upload, an API request, a webhook) without explicitly disabling external entity processing, an attacker can inject entity declarations that point to sensitive files (/etc/passwd, database configuration files) or internal services. The parser then resolves these references and may expose their contents in error messages, responses, or logs.

03Real-World Impact

XXE vulnerabilities can lead to confidentiality breaches—attackers can read arbitrary files from the server filesystem, including source code, configuration files, and private keys. In some configurations, XXE can be chained with other techniques to achieve remote code execution or denial of service by referencing infinitely recursive entities or extremely large files. Organizations have suffered data leaks and compliance violations when XXE flaws exposed customer data or internal credentials stored in configuration files.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import xml.etree.ElementTree as ET

def parse_user_xml(xml_data):
    # Dangerous: no restrictions on entity resolution
    root = ET.fromstring(xml_data)
    return root.find('username').text

Why it's vulnerable:
The default ET.fromstring() parser will resolve external entities, allowing an attacker to reference local files or network resources via DOCTYPE declarations in the XML input.

Fixed pattern
import xml.etree.ElementTree as ET

def parse_user_xml(xml_data):
    # Safe: disable external entity resolution
    parser = ET.XMLParser()
    parser.entity = {}  # Disable entity expansion
    # Or use defusedxml for comprehensive XXE protection
    from defusedxml.ElementTree import fromstring
    root = fromstring(xml_data)
    return root.find('username').text
Vulnerable pattern
<?php
function process_xml_upload($xml_string) {
    // Dangerous: libxml external entities enabled by default
    $dom = new DOMDocument();
    $dom->load('php://input');  // or loadXML($xml_string)
    $root = $dom->documentElement;
    return $root->getElementsByTagName('data')[0]->nodeValue;
}
?>

Why it's vulnerable:
PHP's DOMDocument and SimpleXMLElement enable external entity loading by default, allowing XXE attacks through DOCTYPE declarations or entity references in the XML.

Fixed pattern
<?php
function process_xml_upload($xml_string) {
    // Safe: disable external entity loading
    $dom = new DOMDocument();
    libxml_disable_entity_loader(true);
    $dom->load('php://input', LIBXML_NOENT | LIBXML_DTDLOAD);
    // Or use a whitelist approach:
    $old = libxml_disable_entity_loader(true);
    $dom->loadXML($xml_string);
    libxml_disable_entity_loader($old);
    return $dom->documentElement->getElementsByTagName('data')[0]->nodeValue;
}
?>

05Prevention Checklist

Disable external entity resolution
in all XML parsers used in your application; use language-specific safe defaults or libraries (e.g., defusedxml in Python, libxml_disable_entity_loader() in PHP).
Validate XML schema
against a strict, predefined schema before parsing; reject any XML that does not conform.
Use allowlisting
for DOCTYPE declarations; if your application requires DTDs, define them internally and reject any external references.
Avoid parsing user-supplied XML
whenever possible; if you must, parse it in a sandboxed environment with minimal file system and network access.
Keep XML libraries updated
to the latest versions, which often include XXE mitigations by default.
Log and monitor XML parsing errors
for signs of XXE attempts (e.g., unusual file path references in error messages).

06Signs You May Already Be Affected

Check your application logs for XML parsing errors that reference unexpected file paths (e.g., /etc/passwd, file://, http://localhost). Review your XML processing code for calls to DOM or XML parsers without explicit entity resolution restrictions. If your application accepts file uploads or webhook payloads in XML format, test whether a DOCTYPE declaration referencing a local file is processed without error.

07Related Recent Vulnerabilities