XML External Entity (XXE) Injection
Description
User-controlled XML input can lead to XXE vulnerabilities if the parser processes external entities. This may allow attackers to read local files, perform SSRF, or execute denial-of-service attacks.
Examples
Insecure Code
javascript
const libxmljs = require('libxmljs');
const xml = '<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><root>&xxe;</root>';
const parser = new libxmljs.SaxParser();
parser.parseString(xml);Secure Code
javascript
const libxmljs = require('libxmljs');
const xml = '<root>hello</root>';
const parser = new libxmljs.SaxParser({ externalEntities: false });
parser.parseString(xml);Remediation
Disable external entity processing in the XML parser. Set `externalEntities: false` or equivalent configuration depending on the library used. Avoid unsafe XML parsing of untrusted input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0816 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | XXE, XML Injection |
| OWASP | A4:2017-XML External Entities (XXE), A05:2021-Security Misconfiguration |