XML External Entity (XXE)

What it is

An XML parser resolves external entities, letting an attacker read files or reach internal services.

How to fix it

Upgrade and disable DTD/external-entity processing in the parser.

How to avoid it

Disable external entities and DTDs on every XML parser by default.

Known XML External Entity (XXE) vulnerabilities

• APPSEC-XXE — critical · Web app/XML External Entity injection · exploited

Stateward flags XML External Entity (XXE) in your own code and dependencies on every pull request.

Summarize with AI

ChatGPTClaudePerplexity