Improper Restriction of XML External Entity References in Multiple Components
Description
Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML External Entity references in the default configuration. The Standard Content Viewer service attempts to resolve XML External Entity references when viewing formatted XML files. The following Processors attempt to resolve XML External Entity references when configured with default property values: - EvaluateXPath - EvaluateXQuery - ValidateXml Apache NiFi flow configurations that include these Processors are vulnerable to malicious XML documents that contain Document Type Declarations with XML External Entity references. The resolution disables Document Type Declarations in the default configuration for these Processors, and disallows XML External Entity resolution in standard services.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache NiFi 0.0.1 to 1.16.0 components do not restrict XML External Entity references by default, enabling XXE attacks via crafted XML documents.
Vulnerability
Multiple components in Apache NiFi versions 0.0.1 through 1.16.0 do not restrict XML External Entity (XXE) references in their default configuration [1], [2]. The Standard Content Viewer service resolves XXE references when viewing formatted XML files. Additionally, three Processors—EvaluateXPath, EvaluateXQuery, and ValidateXml—resolve XXE references when configured with default property values [2]. This allows malicious XML documents containing Document Type Declarations with XXE references to be processed by affected NiFi flows [2].
Exploitation
An attacker with the ability to supply a crafted XML document to an Apache NiFi instance that uses any of these components can trigger XXE processing [1], [2]. The attacker does not require authenticated access if the NiFi instance is reachable and the flow accepts external XML input. The XXE reference is resolved during document parsing, enabling the attacker to include external entities from attacker-controlled URIs [2].
Impact
Successful exploitation can lead to information disclosure via file inclusion, server-side request forgery (SSRF), or denial of service [1], [2]. The attacker may read arbitrary files on the NiFi server, perform network reconnaissance, or exhaust server resources. The exact impact depends on the permissions of the NiFi process and the network environment [1].
Mitigation
The fix disables Document Type Declarations in the default configuration for the affected Processors and disallows XML External Entity resolution in standard services [2]. Users should upgrade to Apache NiFi 1.16.1 or later, which includes the corrected default behavior [1]. No workaround is required if the default configuration is still in use, as the patch ensures XXE is disabled by default even if the property is not explicitly set.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.nifi:nifiMaven | >= 0.0.1, < 1.16.1 | 1.16.1 |
Affected products
3- osv-coords2 versions
>= 0.0.1, <= 1.16.0+ 1 more
- (no CPE)range: >= 0.0.1, <= 1.16.0
- (no CPE)range: >= 0.0.1, < 1.16.1
- Apache Software Foundation/Apache NiFiv5Range: 0.0.1 to 1.16.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-wc97-7623-rxwxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29265ghsaADVISORY
- lists.apache.org/thread/47od9kr9n4cyv0mv81jh3pkyx815kyjlghsax_refsource_MISCWEB
- nifi.apache.org/security.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.