Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-PR38-7Q66-HQQH

Vulnerability from github – Published: 2023-02-09 21:30 – Updated: 2025-03-24 21:30
VLAI
Details

Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24323"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.",
  "id": "GHSA-pr38-7q66-hqqh",
  "modified": "2025-03-24T21:30:27Z",
  "published": "2023-02-09T21:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24323"
    },
    {
      "type": "WEB",
      "url": "https://github.com/blakduk/Advisories/blob/main/Mojoportal/README.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i7MEDIA/mojoportal"
    },
    {
      "type": "WEB",
      "url": "https://www.mojoportal.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PR9H-G7P7-RRQH

Vulnerability from github – Published: 2022-05-14 03:46 – Updated: 2022-11-03 19:13
VLAI
Summary
XML External Entity Reference in Jenkins FindBugs Plugin
Details

Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jvnet.hudson.plugins.findbugs:library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-03T19:13:08Z",
    "nvd_published_at": "2018-01-23T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "Jenkins FindBugs Plugin 4.71 and earlier processes XML external entities in files it parses as part of the build process, allowing attackers with user permissions in Jenkins to extract secrets from the Jenkins master, perform server-side request forgery, or denial-of-service attacks.",
  "id": "GHSA-pr9h-g7p7-rrqh",
  "modified": "2022-11-03T19:13:08Z",
  "published": "2022-05-14T03:46:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000011"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2018-01-22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XML External Entity Reference in Jenkins FindBugs Plugin"
}

GHSA-PRGJ-F78P-GH4P

Vulnerability from github – Published: 2022-05-17 02:45 – Updated: 2022-05-17 02:45
VLAI
Details

IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1103"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-05-10T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Team Concert (RTC) is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. IBM X-Force ID: 120665.",
  "id": "GHSA-prgj-f78p-gh4p",
  "modified": "2022-05-17T02:45:41Z",
  "published": "2022-05-17T02:45:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1103"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg22002429"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PV39-QP28-4MGH

Vulnerability from github – Published: 2022-03-26 00:00 – Updated: 2022-04-12 16:40
VLAI
Summary
Improper Restriction of XML External Entity Reference in soa-model
Details

Soa-model is a toolkit and Java API for WSDL, WADL and XML Schema. An XML External Entity (XXE) vulnerability exists in versions of soa-model prior to 1.6.4 in the WSDLParser function. This issue has been fixed in version 1.6.4.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.predic8:soa-model-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.predic8:soa-model-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-30T15:05:12Z",
    "nvd_published_at": "2022-03-25T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Soa-model is a toolkit and Java API for WSDL, WADL and XML Schema. An XML External Entity (XXE) vulnerability exists in versions of soa-model prior to 1.6.4 in the WSDLParser function. This issue has been fixed in version 1.6.4.",
  "id": "GHSA-pv39-qp28-4mgh",
  "modified": "2022-04-12T16:40:09Z",
  "published": "2022-03-26T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43090"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/issues/281"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/commit/19de16902468e7963cc4dc6b544574bc1ea3f251"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/commit/3aa295f155f621d5ea661cb9a0604013fc8fd8ff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/membrane/soa-model"
    },
    {
      "type": "WEB",
      "url": "https://github.com/membrane/soa-model/releases/tag/v1.6.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in soa-model"
}

GHSA-PVF4-HR84-4G6R

Vulnerability from github – Published: 2023-03-22 00:30 – Updated: 2023-03-24 06:30
VLAI
Details

Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-21T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of VISAM VBASE Automation Base prior to 11.7.5 may disclose information if a valid user opens a specially crafted file.",
  "id": "GHSA-pvf4-hr84-4g6r",
  "modified": "2023-03-24T06:30:16Z",
  "published": "2023-03-22T00:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46300"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PVXF-5HXJ-54CH

Vulnerability from github – Published: 2022-05-17 02:12 – Updated: 2022-05-17 02:12
VLAI
Details

XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-08T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "XML External Entity (XXE) vulnerability in Apache Wink 1.1.1 and earlier allows remote attackers to read arbitrary files or cause a denial of service via a crafted XML document.",
  "id": "GHSA-pvxf-5hxj-54ch",
  "modified": "2022-05-17T02:12:13Z",
  "published": "2022-05-17T02:12:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2245"
    },
    {
      "type": "WEB",
      "url": "https://svn.apache.org/repos/asf/wink/trunk/security/CVE-2010-2245.pdf"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=wink-user\u0026m=127843482925387\u0026w=2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW7G-J3C6-JJPP

Vulnerability from github – Published: 2025-02-19 18:32 – Updated: 2025-02-19 18:32
VLAI
Details

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0

is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-19T17:15:13Z",
    "severity": "HIGH"
  },
  "details": "IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 \n\n\n\n\n\nis vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.",
  "id": "GHSA-pw7g-j3c6-jjpp",
  "modified": "2025-02-19T18:32:23Z",
  "published": "2025-02-19T18:32:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47160"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7183597"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PW95-88FG-3J6F

Vulnerability from github – Published: 2025-05-05 20:40 – Updated: 2025-05-05 22:07
VLAI
Summary
Langroid Allows XXE Injection via XMLToolMessage
Details

Summary

A LLM application leveraging XMLToolMessage class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.

Details

XMLToolMessage uses lxml without safeguards: https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52 lxml is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. Check here: https://pypi.org/project/defusedxml/#python-xml-libraries

PoC

A typical Quadratic blowup XML payload looks like this:

<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaa">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
]>
<bomb>&c;</bomb>

Here, &a; expands to 10 characters, &b; expands to 100, and &c; expands to 1000, causing exponential memory usage and potentially crashing the application.

Fix

Langroid 0.53.4 initializes XMLParser with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access. https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langroid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.53.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-46726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-05T20:40:44Z",
    "nvd_published_at": "2025-05-05T20:15:21Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA LLM application leveraging `XMLToolMessage` class may be exposed to untrusted XML input that could result in DoS and/or exposing local files with sensitive information.\n\n### Details\n`XMLToolMessage` uses `lxml` without safeguards:\nhttps://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52\n`lxml` is vulnerable to quadratic blowup attacks and processes external entity declarations for local files by default. \nCheck here: https://pypi.org/project/defusedxml/#python-xml-libraries\n\n### PoC\nA typical Quadratic blowup XML payload looks like this:\n```xml\n\u003c!DOCTYPE bomb [\n\u003c!ENTITY a \"aaaaaaaaaa\"\u003e\n\u003c!ENTITY b \"\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\u0026a;\"\u003e\n\u003c!ENTITY c \"\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\u0026b;\"\u003e\n]\u003e\n\u003cbomb\u003e\u0026c;\u003c/bomb\u003e\n```\nHere, \u0026a; expands to 10 characters, \u0026b; expands to 100, and \u0026c; expands to 1000, causing exponential memory usage and potentially crashing the application.\n \n### Fix\nLangroid 0.53.4 initializes `XMLParser` with flags to prevent XML External Entity (XXE), billion laughs, and external DTD attacks by disabling entity resolution, DTD loading, and network access.\nhttps://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3",
  "id": "GHSA-pw95-88fg-3j6f",
  "modified": "2025-05-05T22:07:30Z",
  "published": "2025-05-05T20:40:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/security/advisories/GHSA-pw95-88fg-3j6f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46726"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/commit/36e7e7db4dd1636de225c2c66c84052b1e9ac3c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langroid/langroid"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langroid/langroid/blob/df6227e6c079ec22bb2768498423148d6685acff/langroid/agent/xml_tool_message.py#L51-L52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Langroid Allows XXE Injection via XMLToolMessage"
}

GHSA-PWM3-776C-8Q7Q

Vulnerability from github – Published: 2025-05-14 21:31 – Updated: 2025-05-15 17:28
VLAI
Summary
BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference
Details

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.

This issue affects webdrivermanager: from 1.0.0 before 6.1.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.github.bonigarcia:webdrivermanager"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "6.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-4641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-15T17:27:58Z",
    "nvd_published_at": "2025-05-14T19:15:53Z",
    "severity": "CRITICAL"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java.\n\nThis issue affects webdrivermanager: from 1.0.0 before 6.1.0.",
  "id": "GHSA-pwm3-776c-8q7q",
  "modified": "2025-05-15T17:28:16Z",
  "published": "2025-05-14T21:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4641"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bonigarcia/webdrivermanager/pull/1458"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bonigarcia/webdrivermanager"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference"
}

GHSA-PXHP-JR2P-7HW7

Vulnerability from github – Published: 2023-01-15 09:30 – Updated: 2025-04-08 21:31
VLAI
Details

BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as "machine example.com login daniel password qwerty" in the documentation example for the .netrc file format. NOTE; 2.x versions are no longer supported. There is no available information about whether any later version is affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-23595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-15T07:15:00Z",
    "severity": "HIGH"
  },
  "details": "BlueCat Device Registration Portal 2.2 allows XXE attacks that exfiltrate single-line files. A single-line file might contain credentials, such as \"machine example.com login daniel password qwerty\" in the documentation example for the .netrc file format. NOTE; 2.x versions are no longer supported. There is no available information about whether any later version is affected.",
  "id": "GHSA-pxhp-jr2p-7hw7",
  "modified": "2025-04-08T21:31:28Z",
  "published": "2023-01-15T09:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23595"
    },
    {
      "type": "WEB",
      "url": "https://bluecatnetworks.com/integrations/adaptive-application/device-registration-portal-drp"
    },
    {
      "type": "WEB",
      "url": "https://everything.curl.dev/usingcurl/netrc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/colemanjp/XXE-Vulnerability-in-Bluecat-Device-Registration-Portal-DRP"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.