VYPR

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

BaseDraftLikelihood: Medium

Description

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-197

CVEs mapped to this weakness (58)

page 2 of 3
  • CVE-2026-44018Jun 3, 2026
    risk 0.00cvss epss 0.00

    ### Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space -…

  • CVE-2026-33036Mar 20, 2026
    risk 0.00cvss epss 0.01

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity…

  • CVE-2026-29074Mar 6, 2026
    risk 0.00cvss epss 0.00

    SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards…

  • CVE-2026-26278Feb 19, 2026
    risk 0.00cvss epss 0.01

    fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML…

  • CVE-2025-58767Sep 17, 2025
    risk 0.00cvss epss 0.00

    REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches…

  • CVE-2025-3225Jul 7, 2025
    risk 0.00cvss epss 0.00

    An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a…

  • CVE-2024-43398Aug 22, 2024
    risk 0.00cvss epss 0.01

    REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to…

  • CVE-2024-37388Jun 7, 2024
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of lxml before v4.9.1 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

  • CVE-2024-36827Jun 7, 2024
    risk 0.00cvss epss 0.01

    An XML External Entity (XXE) vulnerability in the ebookmeta.get_metadata function of ebookmeta before v1.2.8 allows attackers to access sensitive information or cause a Denial of Service (DoS) via crafted XML input.

  • CVE-2024-1455Mar 26, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory…

  • CVE-2023-49735Nov 30, 2023
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key.…

  • CVE-2023-28118Mar 20, 2023
    risk 0.00cvss epss 0.01

    kaml provides YAML support for kotlinx.serialization. Prior to version 0.53.0, applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. Version 0.53.0 and later default to refusing to parse YAML documents…

  • CVE-2023-24443Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins TestComplete support Plugin 2.8.1 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2023-24441Jan 24, 2023
    risk 0.00cvss epss 0.01

    Jenkins MSTest Plugin 1.0.0 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks.

  • CVE-2022-25857Aug 30, 2022
    risk 0.00cvss epss 0.02

    The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

  • CVE-2022-33977Jul 26, 2022
    risk 0.00cvss epss 0.01

    untangle is a python library to convert XML data to python objects. untangle versions 1.2.0 and earlier improperly restricts recursive entity references in DTDs. By exploiting this vulnerability, a remote unauthenticated attacker may cause a denial-of-service (DoS) condition on…

  • CVE-2021-41559Jun 28, 2022
    risk 0.00cvss epss 0.01

    Silverstripe silverstripe/framework 4.8.1 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.

  • CVE-2022-26662Mar 7, 2022
    risk 0.00cvss epss 0.02

    An XML Entity Expansion (XEE) issue was discovered in Tryton Application Platform (Server) 5.x through 5.0.45, 6.x through 6.0.15, and 6.1.x and 6.2.x through 6.2.5, and Tryton Application Platform (Command Line Client (proteus)) 5.x through 5.0.11, 6.x through 6.0.4, and 6.1.x…

  • CVE-2022-23640Mar 2, 2022
    risk 0.00cvss epss 0.01

    Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a…

  • CVE-2021-25951Jun 30, 2021
    risk 0.00cvss epss 0.01

    XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to cause a denial of service.