XXE (XML External Entity)
XXE abuses XML parsers that resolve external entities, leaking files and causing SSRF or DoS.
Definition
XML External Entity (XXE) injection is a vulnerability in XML parsers that resolve external entities — a feature of the XML specification that lets a document reference content from a URI. When an application parses untrusted XML with external-entity resolution enabled, an attacker can declare an entity that points at a local file, an internal URL, or a remote DTD, and the parser will faithfully fetch the resource and inline it into the parsed document.
XXE is the canonical "the standard says we have to do this and the standard is wrong" vulnerability. Most XML parsers historically defaulted to resolving external entities. Once the bug class became well-known, libraries shipped opt-in flags to disable resolution, and many modern parsers default to safe behaviour — but legacy applications and bespoke parsers continue to ship with the dangerous defaults.
How it works
The attacker submits XML that declares an external entity pointing at a local file, then references that entity in the document body. The parser fetches the URL during resolution, substitutes the contents in place of the entity reference, and the application processes (and often echoes back) the result.
XXE composes with SSRF — the entity URL can point at an internal HTTP endpoint, leaking metadata or causing internal side effects — and with DoS via the "billion laughs" entity expansion attack, where nested entity definitions blow up into gigabytes of in-memory string.
Impact
File disclosure, internal SSRF, denial of service, and in some configurations remote code execution via the parser's URI handlers (e.g. the `expect://` wrapper on PHP).
Mitigation
Disable external-entity resolution and DTD processing in every XML parser unless your application has a documented need for them. In Java, `XMLConstants.FEATURE_SECURE_PROCESSING` and explicit DOCTYPE prohibition; in Python, prefer `defusedxml` over the stdlib parsers; in Go, `encoding/xml` does not resolve external entities. OWASP maintains an XXE Prevention Cheat Sheet per language. Prefer JSON over XML for new interfaces.
Examples
- CVE-2014-3660 — XXE in libxml2 affecting countless downstream parsers.
- CVE-2018-1000840 — XXE in Apache PDFBox.