Description
XML External Entity (XXE) injection occurs when an application parses untrusted XML input with external entity processing enabled. An attacker can define malicious external entities to read local files, perform server-side request forgery (SSRF), cause denial of service, or exfiltrate sensitive data. This typically happens when XML parsers allow DTDs and external entities without proper restrictions.
Recommendation
To mitigate XXE vulnerabilities, disable external entity resolution and DTD processing in XML parsers unless explicitly required. Use secure parser configurations such as disabling network access and entity expansion. Validate and sanitize all XML input from untrusted sources, and prefer alternative data formats like JSON when possible.
References
- OWASP: XML External Entity (XXE) Processing
- CWE-20
- CWE-611
- CWE-918
- CAPEC-228
- OWASP 2021-A10
- OWASP 2021-A3
- OWASP 2021-A5
Related Issues
- Remote File Disclosure - Vulnerability
- WordPress Plugin NEX Forms 3.0 SQLI - Vulnerability
- Remote URL Inclusion - Vulnerability
- Remote File Inclusion - Vulnerability
- Tags:
- XXE
- XML
- Injection
- SSRF
Anything's wrong? Let us know
Last updated on February 02, 2026