CVE-2018-19244
Description
An XML External Entity (XXE) vulnerability exists in the Charles 4.2.7 import/export setup option. If a user imports a "Charles Settings.xml" file from an attacker, an intranet network may be accessed and information may be leaked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Charles 4.2.7 has an XXE vulnerability in settings import allowing intranet access and information disclosure.
Vulnerability
Charles Proxy version 4.2.7 and earlier contains an XML External Entity (XXE) vulnerability in the import/export setup functionality. When a user imports a crafted "Charles Settings.xml" file, the XML parser processes external entities, enabling access to internal network resources. The vulnerability is triggered during the import process without any special configuration.
Exploitation
An attacker crafts a malicious XML file that includes an external entity definition, such as <!ENTITY file SYSTEM "jar:http://127.0.0.1:2014/!/">. The attacker then convinces the user to import this file via Charles' import/export feature. No authentication is required; user interaction is necessary. The example in the reference shows the entity pointing to a server at 127.0.0.1, but arbitrary internal addresses can be targeted.
Impact
Successful exploitation allows an attacker to perform server-side request forgery (SSRF) attacks, accessing internal network services and potentially reading files from the local file system. This can lead to information disclosure, including sensitive data from intranet resources.
Mitigation
As of the publication date (2018-11-13), no official patch or workaround has been disclosed in the available reference [1]. Users should avoid importing settings files from untrusted sources and monitor for updates from Charles Proxy. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"XML parser in Charles 4.2.7 does not disable external entity processing when importing settings files, allowing XXE attacks."
Attack vector
An attacker crafts a malicious "Charles Settings.xml" file containing an XML External Entity (XXE) declaration that references a remote server via a `jar:` protocol URI (e.g., `jar:http://127.0.0.1:2014/!/`). The attacker also runs a blocking server on the specified port to serve a response. When a victim imports this settings file into Charles 4.2.7, the XML parser resolves the external entity, causing the application to make an outbound HTTP request to the attacker-controlled server. The response from the attacker's server is written to a temporary file on the victim's system (e.g., `jar_cachexxxxxxxxxxxxx.tmp`), enabling information leakage from the intranet [ref_id=1].
Affected code
The vulnerability resides in Charles 4.2.7's import/export settings functionality, which processes "Charles Settings.xml" files without disabling XML external entity resolution. The advisory does not specify exact source files or functions, but the XML parser handling the import is the affected component [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor. To mitigate this vulnerability, users should avoid importing settings files from untrusted sources, and the vendor should update the XML parser configuration to disable external entity processing (e.g., by setting `DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` or equivalent) [ref_id=1].
Preconditions
- inputThe victim must manually import a 'Charles Settings.xml' file supplied by the attacker into Charles 4.2.7.
- networkThe attacker must run a blocking server on the specified host and port to serve the XXE payload response.
Reproduction
1. Create a malicious "Charles Settings.xml" file with an XXE payload (as shown in the PoC) that defines an entity pointing to `jar:http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- whitehatck01.blogspot.com/2018/11/charles-427-xml-external-entity.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.