CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Description
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
DoS: Resource Consumption (Other)
Potential Mitigations
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
CVE-2008-3281XEE in XML-parsing library.
CVE-2011-3288XML bomb / XEE in enterprise communication product.
CVE-2011-1755"Billion laughs" attack in XMPP server daemon.
CVE-2009-1955XML bomb in web server module
CVE-2003-1564Parsing library allows XML bomb
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now