Common Weakness Enumeration

CWE-611

Allowed

Improper Restriction of XML External Entity Reference

Abstraction: Base · Status: Draft

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

1694 vulnerabilities reference this CWE, most recent first.

GHSA-35HC-X2CW-2J4V

Vulnerability from github – Published: 2018-10-16 19:54 – Updated: 2022-04-26 19:04
VLAI
Summary
Denial of service vulnerability exists when .NET and .NET Core improperly process XML documents
Details

A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7/4.7.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6.2/4.7/4.7.1, .NET Core 2.0, Microsoft .NET Framework 4.7.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "System.Security.Cryptography.Xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-0765"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T20:54:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka \".NET and .NET Core Denial of Service Vulnerability.\" This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7/4.7.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6.2/4.7/4.7.1, .NET Core 2.0, Microsoft .NET Framework 4.7.2.",
  "id": "GHSA-35hc-x2cw-2j4v",
  "modified": "2022-04-26T19:04:54Z",
  "published": "2018-10-16T19:54:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-0765"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-35hc-x2cw-2j4v"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0765"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104060"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040851"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service vulnerability exists when .NET and .NET Core improperly process XML documents"
}

GHSA-36J8-P24P-6P6Q

Vulnerability from github – Published: 2022-10-04 00:00 – Updated: 2022-10-05 00:00
VLAI
Details

An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-42307"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-03T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.",
  "id": "GHSA-36j8-p24p-6p6q",
  "modified": "2022-10-05T00:00:37Z",
  "published": "2022-10-04T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42307"
    },
    {
      "type": "WEB",
      "url": "https://www.veritas.com/content/support/en_US/security/VTS22-012#M2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-388M-42JQ-JJRP

Vulnerability from github – Published: 2022-05-14 03:19 – Updated: 2022-05-14 03:19
VLAI
Details

RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-1247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-08T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "RSA Authentication Manager Security Console, version 8.3 and earlier, contains a XML External Entity (XXE) vulnerability. This could potentially allow admin users to cause a denial of service or extract server data via injecting a maliciously crafted DTD in an XML file submitted to the application.",
  "id": "GHSA-388m-42jq-jjrp",
  "modified": "2022-05-14T03:19:06Z",
  "published": "2022-05-14T03:19:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1247"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/44634"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2018/May/18"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104107"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040835"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-38GF-Q933-Q62G

Vulnerability from github – Published: 2024-11-06 18:31 – Updated: 2024-11-06 18:31
VLAI
Details

A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials.

This vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system or conduct an SSRF attack through the affected device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20531"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-06T17:15:18Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the API of Cisco ISE could allow an authenticated, remote attacker to read arbitrary files on the underlying operating system of an affected device and conduct a server-side request forgery (SSRF) attack through an affected device. To exploit this vulnerability, the attacker would need valid Super Admin credentials.\n\nThis vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing XML input. An attacker could exploit this vulnerability by sending a crafted API request to an affected device. A successful exploit could allow the attacker to read arbitrary files on the underlying operating system or conduct an SSRF attack through the affected device.",
  "id": "GHSA-38gf-q933-q62g",
  "modified": "2024-11-06T18:31:11Z",
  "published": "2024-11-06T18:31:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20531"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-vuln-DBQdWRy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-38GF-RH2W-GMJ7

Vulnerability from github – Published: 2024-05-08 19:55 – Updated: 2024-05-14 20:01
VLAI
Summary
@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability
Details

Impact

XML External entity injections could be possible, when running the provided XML Validator on arbitrary input.

POC

const {
  Spec: { Version },
  Validation: { XmlValidator }
} = require('@cyclonedx/cyclonedx-library');

const version = Version.v1dot5;
const validator = new XmlValidator(version);
const input = `<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE poc [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5">
  <components>
    <component type="library">
      <name>testing</name>
      <version>1.337</version>
      <licenses>
        <license>
          <id>&xxe;</id><!-- << XML external entity (XXE) injection -->
        </license>
      </licenses>
    </component>
  </components>
</bom>`;

// validating this forged(^) input might lead to unintended behaviour
// for the fact that the XML external entity would be taken into account.
validator.validate(input).then(ve => {
  console.error('validation error', ve);
});

Patches

This issue was fixed in @cyclonedx/cyclonedx-library@6.7.1.

Workarounds

Do not run the provided XML validator on untrusted inputs.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@cyclonedx/cyclonedx-library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "6.7.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34345"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-08T19:55:37Z",
    "nvd_published_at": "2024-05-14T15:38:40Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nXML External entity injections could be possible, when running the provided XML Validator on arbitrary input.\n\n#### POC\n\n```js\nconst {\n  Spec: { Version },\n  Validation: { XmlValidator }\n} = require(\u0027@cyclonedx/cyclonedx-library\u0027);\n\nconst version = Version.v1dot5;\nconst validator = new XmlValidator(version);\nconst input = `\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003c!DOCTYPE poc [\n  \u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e\n]\u003e\n\u003cbom xmlns=\"http://cyclonedx.org/schema/bom/1.5\"\u003e\n  \u003ccomponents\u003e\n    \u003ccomponent type=\"library\"\u003e\n      \u003cname\u003etesting\u003c/name\u003e\n      \u003cversion\u003e1.337\u003c/version\u003e\n      \u003clicenses\u003e\n        \u003clicense\u003e\n          \u003cid\u003e\u0026xxe;\u003c/id\u003e\u003c!-- \u003c\u003c XML external entity (XXE) injection --\u003e\n        \u003c/license\u003e\n      \u003c/licenses\u003e\n    \u003c/component\u003e\n  \u003c/components\u003e\n\u003c/bom\u003e`;\n\n// validating this forged(^) input might lead to unintended behaviour\n// for the fact that the XML external entity would be taken into account.\nvalidator.validate(input).then(ve =\u003e {\n  console.error(\u0027validation error\u0027, ve);\n});\n```\n\n### Patches\n\nThis issue was fixed in `@cyclonedx/cyclonedx-library@6.7.1 `.\n\n\n\n### Workarounds\n\nDo not run the provided XML validator on untrusted inputs.\n\n### References\n\n* issue was introduced via \u003chttps://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063\u003e.  \n",
  "id": "GHSA-38gf-rh2w-gmj7",
  "modified": "2024-05-14T20:01:46Z",
  "published": "2024-05-08T19:55:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1063"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/commit/5e5e1e0b9422f47d2de81c7c4064b803a01e7203"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/CycloneDX/cyclonedx-javascript-library"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@cyclonedx/cyclonedx-library Improper Restriction of XML External Entity Reference vulnerability"
}

GHSA-38W8-H222-WRPP

Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-12-01 22:12
VLAI
Summary
Improper Restriction of XML External Entity Reference in Jenkins Chef Sinatra
Details

Chef Sinatra Plugin 1.20 and earlier does not perform a permission check in a method implementing form validation.

As the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:sinatra-chef-builder"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-16T22:45:12Z",
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Chef Sinatra Plugin 1.20 and earlier does not perform a permission check in a method implementing form validation.\n\nAs the plugin does not configure its XML parser to prevent XML external entity (XXE) attacks, attackers can have Jenkins parse a crafted XML response that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.",
  "id": "GHSA-38w8-h222-wrpp",
  "modified": "2022-12-01T22:12:02Z",
  "published": "2022-02-16T00:01:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25209"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-1377"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Restriction of XML External Entity Reference in Jenkins Chef Sinatra"
}

GHSA-39GJ-7C5P-CCX8

Vulnerability from github – Published: 2025-07-11 09:30 – Updated: 2025-11-03 21:34
VLAI
Details

CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access when the server is accessed via the network using an application account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-6438"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-11T09:15:24Z",
    "severity": "MODERATE"
  },
  "details": "CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could\ncause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access\nwhen the server is accessed via the network using an application account.",
  "id": "GHSA-39gj-7c5p-ccx8",
  "modified": "2025-11-03T21:34:05Z",
  "published": "2025-07-11T09:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6438"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2025-189-01.pdf"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2025/Jul/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3G93-9F89-PRGJ

Vulnerability from github – Published: 2022-05-14 01:11 – Updated: 2022-05-14 01:11
VLAI
Details

A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka 'MS XML Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0795.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-0793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-09T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input, aka \u0027MS XML Remote Code Execution Vulnerability\u0027. This CVE ID is unique from CVE-2019-0790, CVE-2019-0791, CVE-2019-0792, CVE-2019-0795.",
  "id": "GHSA-3g93-9f89-prgj",
  "modified": "2022-05-14T01:11:02Z",
  "published": "2022-05-14T01:11:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0793"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0793"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107729"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3GG6-GCFV-5R7J

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09
VLAI
Details

IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20399"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-27T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and  7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.  IBM X-Force ID:  196073.",
  "id": "GHSA-3gg6-gcfv-5r7j",
  "modified": "2022-05-24T19:09:16Z",
  "published": "2022-05-24T19:09:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20399"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196073"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6475263"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-3GRG-C26Q-4W39

Vulnerability from github – Published: 2026-04-30 18:30 – Updated: 2026-05-04 15:31
VLAI
Details

Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3., from 4.3x before 5.2..

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-30T16:16:40Z",
    "severity": "HIGH"
  },
  "details": "Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.",
  "id": "GHSA-3grg-c26q-4w39",
  "modified": "2026-05-04T15:31:11Z",
  "published": "2026-04-30T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14543"
    },
    {
      "type": "WEB",
      "url": "https://www.rti.com/vulnerabilities/#cve-2025-14543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Implementation System Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

CAPEC-221: Data Serialization External Entities Blowup

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.