Common Weakness Enumeration

CWE-776

Allowed

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Abstraction: Base · Status: Draft

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

142 vulnerabilities reference this CWE, most recent first.

GHSA-JC43-H2GQ-6J6C

Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47
VLAI
Details

IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-20453"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-04-20T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM WebSphere Application Server 8.0, 8.5, and 9.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196648.",
  "id": "GHSA-jc43-h2gq-6j6c",
  "modified": "2022-05-24T17:47:54Z",
  "published": "2022-05-24T17:47:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20453"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196648"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6445171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JH4X-4WMF-67PR

Vulnerability from github – Published: 2022-05-17 05:10 – Updated: 2024-01-12 18:28
VLAI
Summary
Zend Framework XEE Vulnerability
Details

(1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0"
            },
            {
              "fixed": "1.11.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0-rc1"
            },
            {
              "fixed": "1.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-6532"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-12T18:28:17Z",
    "nvd_published_at": "2013-02-13T17:55:00Z",
    "severity": "MODERATE"
  },
  "details": "(1) `Zend_Dom`, (2) `Zend_Feed`, (3) `Zend_Soap`, and (4) `Zend_XmlRpc` in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack.",
  "id": "GHSA-jh4x-4wmf-67pr",
  "modified": "2024-01-12T18:28:17Z",
  "published": "2022-05-17T05:10:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6532"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zf1/commit/1b5e86183a72b7b10b6c89e4f95f08c5da9716db"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zf1"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20131101014013/http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:115/?name=MDVSA-2013:115"
    },
    {
      "type": "WEB",
      "url": "http://framework.zend.com/security/advisory/ZF2012-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Zend Framework XEE Vulnerability"
}

GHSA-JMHH-W7XP-WG39

Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2023-06-09 19:45
VLAI
Summary
Nokogiri vulnerable to DoS while parsing XML entities
Details

Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2013-6461"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-09T19:45:09Z",
    "nvd_published_at": "2019-11-05T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits",
  "id": "GHSA-jmhh-w7xp-wg39",
  "modified": "2023-06-09T19:45:09Z",
  "published": "2022-05-05T00:29:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6461"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2013-6461"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6461"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90059"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2013-6461.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2013-6461"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200804224345/https://www.securityfocus.com/bid/64513"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2013/12/27/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nokogiri vulnerable to DoS while parsing XML entities"
}

GHSA-JMR7-XGP7-CMFJ

Vulnerability from github – Published: 2026-02-17 21:30 – Updated: 2026-02-27 16:50
VLAI
Summary
fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
Details

Summary

The XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application.

Details

There is a check in DocTypeReader.js that tries to prevent entity expansion attacks by rejecting entities that reference other entities (it looks for & inside entity values). This does stop classic “Billion Laughs” payloads.

However, it doesn’t stop a much simpler variant.

If you define one large entity that contains only raw text (no & characters) and then reference it many times, the parser will happily expand it every time. There is no limit on how large the expanded result can become, or how many replacements are allowed.

The problem is in replaceEntitiesValue() inside OrderedObjParser.js. It repeatedly runs val.replace() in a loop, without any checks on total output size or execution cost. As the entity grows or the number of references increases, parsing time explodes.

Relevant code:

DocTypeReader.js (lines 28–33): entity registration only checks for &

OrderedObjParser.js (lines 439–458): entity replacement loop with no limits

PoC

const { XMLParser } = require('fast-xml-parser');

const entity = 'A'.repeat(1000);
const refs = '&big;'.repeat(100);
const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;

console.time('parse');
new XMLParser().parse(xml); // ~4–8 seconds for ~1.3 KB of XML
console.timeEnd('parse');

// 5,000 chars × 100 refs takes 200+ seconds
// 50,000 chars × 1,000 refs will hang indefinitely

Impact

This is a straightforward denial-of-service issue.

Any service that parses user-supplied XML using the default configuration is vulnerable. Since Node.js runs on a single thread, the moment the parser starts expanding entities, the event loop is blocked. While this is happening, the server can’t handle any other requests.

In testing, a payload of only a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, with all other requests timing out.

Workaround

Avoid using DOCTYPE parsing by processEntities: false option.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.3"
            },
            {
              "fixed": "4.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T21:30:10Z",
    "nvd_published_at": "2026-02-19T20:25:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it\u2019s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application.\n\n### Details\nThere is a check in `DocTypeReader.js` that tries to prevent entity expansion attacks by rejecting entities that reference other entities (it looks for \u0026 inside entity values). This does stop classic \u201cBillion Laughs\u201d payloads.\n\nHowever, it doesn\u2019t stop a much simpler variant.\n\nIf you define one large entity that contains only raw text (no \u0026 characters) and then reference it many times, the parser will happily expand it every time. There is no limit on how large the expanded result can become, or how many replacements are allowed.\n\nThe problem is in `replaceEntitiesValue()` inside `OrderedObjParser.js`. It repeatedly runs `val.replace()` in a loop, without any checks on total output size or execution cost. As the entity grows or the number of references increases, parsing time explodes.\n\nRelevant code:\n\n`DocTypeReader.js` (lines 28\u201333): entity registration only checks for \u0026\n\n`OrderedObjParser.js` (lines 439\u2013458): entity replacement loop with no limits\n\n### PoC\n\n```js\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\nconst entity = \u0027A\u0027.repeat(1000);\nconst refs = \u0027\u0026big;\u0027.repeat(100);\nconst xml = `\u003c!DOCTYPE foo [\u003c!ENTITY big \"${entity}\"\u003e]\u003e\u003croot\u003e${refs}\u003c/root\u003e`;\n\nconsole.time(\u0027parse\u0027);\nnew XMLParser().parse(xml); // ~4\u20138 seconds for ~1.3 KB of XML\nconsole.timeEnd(\u0027parse\u0027);\n\n// 5,000 chars \u00d7 100 refs takes 200+ seconds\n// 50,000 chars \u00d7 1,000 refs will hang indefinitely\n```\n\n### Impact\nThis is a straightforward denial-of-service issue.\n\nAny service that parses user-supplied XML using the default configuration is vulnerable. Since Node.js runs on a single thread, the moment the parser starts expanding entities, the event loop is blocked. While this is happening, the server can\u2019t handle any other requests.\n\nIn testing, a payload of only a few kilobytes was enough to make a simple HTTP server completely unresponsive for several minutes, with all other requests timing out.\n\n### Workaround\n\nAvoid using DOCTYPE parsing by `processEntities: false` option.",
  "id": "GHSA-jmr7-xgp7-cmfj",
  "modified": "2026-02-27T16:50:38Z",
  "published": "2026-02-17T21:30:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-jmr7-xgp7-cmfj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/910dae5be2de2955e968558fadf6e8f74f117a77"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)"
}

GHSA-JQ2W-W7V2-69Q5

Vulnerability from github – Published: 2022-05-24 22:00 – Updated: 2023-03-06 20:47
VLAI
Summary
Apache Solr vulnerable to XML Bomb
Details

Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it?s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-12401"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T13:23:13Z",
    "nvd_published_at": "2019-09-10T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Solr versions prior to 5.0.0 are vulnerable to an XML resource consumption attack (a.k.a. Lol Bomb) via it?s update handler.?By leveraging XML DOCTYPE and ENTITY type elements, the attacker can create a pattern that will expand when the server parses the XML causing OOMs.",
  "id": "GHSA-jq2w-w7v2-69q5",
  "modified": "2023-03-06T20:47:32Z",
  "published": "2022-05-24T22:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12401"
    },
    {
      "type": "WEB",
      "url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-12401-XML%20Bomb-Apache%20Solr"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SOLR-13750"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/048ae6e4f84a88e8856f766320b48ad91f9fca2c6f621aa2c40088fe@%3Cdev.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/0ec231c5ed8d242890e21806d25fdd47f80cc47cac278d2fc1c9c579@%3Cdev.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/1c92300643f48f13bc59b15e3f886ba62bae1798c7d4c2e5c1ece09b@%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/521d10a19bfb590f86dff41820ccfb11e92281f233a12c882650931e@%3Cdev.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/60a924662ead9aeea74e8ea128d9ca935f8de925aa71b15ab2787d6a@%3Csolr-user.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/7ab5e95a1a0b4f35ffe53f1eb0cb74b4348b49d41b72ac155b843fa2@%3Cgeneral.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/db8eaca456d03c00a66cbe37548978318d424b9997e3fd7f5c65dffe@%3Cdev.lucene.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190926-0002"
    },
    {
      "type": "WEB",
      "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201909.mbox/%3CCAECwjAXU4%3DkAo5DeUJw7Kvk67sgCmajAN7LGZQNjbjZ8gv%3DBdw%40mail.gmail.com%3E"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/09/10/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Solr  vulnerable to XML Bomb"
}

GHSA-M5FQ-FJ2F-7888

Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34
VLAI
Details

Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-09T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 is vulnerable to an XML External Entity Processing (XXE) vulnerability which could allow an authenticated administrator to read arbitrary local files. An attacker must already have obtained product administrator/root privileges to exploit this vulnerability.",
  "id": "GHSA-m5fq-fj2f-7888",
  "modified": "2022-05-24T17:34:01Z",
  "published": "2022-05-24T17:34:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27017"
    },
    {
      "type": "WEB",
      "url": "https://sec-consult.com/en/blog/advisories/vulnerabilities-in-trend-micro-interscan-messaging-security-virtual-appliance-imsva"
    },
    {
      "type": "WEB",
      "url": "https://success.trendmicro.com/solution/000279833"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-M88R-RG27-5XFG

Vulnerability from github – Published: 2026-06-03 21:14 – Updated: 2026-06-03 21:14
VLAI
Summary
Docling: Unsafe XML Entity Expansion in USPTO Patent Backend
Details

Impact

The USPTO patent XML parser used the standard xml.sax.parseString() without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could: - Read arbitrary files from the server filesystem - Perform Server-Side Request Forgery (SSRF) attacks - Cause denial of service through entity expansion (Billion Laughs attack)

The vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x.

Patches

Fixed in version 2.74.0. The parser now uses defusedxml.sax.make_parser() with secure configuration that blocks external entity resolution (feature_external_ges=False, feature_external_pes=False) while allowing DTD declarations required by USPTO files. This prevents XXE attacks while maintaining compatibility with the USPTO XML format.

Workarounds

Avoid processing USPTO patent XML files from untrusted sources. Implement resource limits (memory, CPU time) when processing patent documents.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "docling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.13.0"
            },
            {
              "fixed": "2.74.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:14:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nThe USPTO patent XML parser used the standard `xml.sax.parseString()` without protection against XML External Entity (XXE) attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could:\n- Read arbitrary files from the server filesystem\n- Perform Server-Side Request Forgery (SSRF) attacks\n- Cause denial of service through entity expansion (Billion Laughs attack)\n\nThe vulnerability affects three USPTO patent format parsers: ICE (v4.x), Grant v2.5, and Application v1.x.\n\n### Patches\nFixed in version 2.74.0. The parser now uses `defusedxml.sax.make_parser()` with secure configuration that blocks external entity resolution (`feature_external_ges=False`, `feature_external_pes=False`) while allowing DTD declarations required by USPTO files. This prevents XXE attacks while maintaining compatibility with the USPTO XML format.\n\n### Workarounds\nAvoid processing USPTO patent XML files from untrusted sources. Implement resource limits (memory, CPU time) when processing patent documents.\n\n### References\n- Fix release: [v2.74.0](https://github.com/docling-project/docling/releases/tag/v2.74.0)",
  "id": "GHSA-m88r-rg27-5xfg",
  "modified": "2026-06-03T21:14:15Z",
  "published": "2026-06-03T21:14:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/docling-project/docling/security/advisories/GHSA-m88r-rg27-5xfg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/docling-project/docling"
    },
    {
      "type": "WEB",
      "url": "https://github.com/docling-project/docling/releases/tag/v2.74.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Docling: Unsafe XML Entity Expansion in USPTO Patent Backend"
}

GHSA-MHJG-98H7-6G9W

Vulnerability from github – Published: 2022-07-13 00:01 – Updated: 2022-07-21 00:00
VLAI
Details

A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions < V9.2.2), Mendix Excel Importer Module (Mendix 9 compatible) (All versions < V10.1.2). The affected component is vulnerable to XML Entity Expansion Injection. An attacker may use this to compromise the availability of the affected component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34467"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-12T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions \u003c V9.2.2), Mendix Excel Importer Module (Mendix 9 compatible) (All versions \u003c V10.1.2). The affected component is vulnerable to XML Entity Expansion Injection. An attacker may use this to compromise the availability of the affected component.",
  "id": "GHSA-mhjg-98h7-6g9w",
  "modified": "2022-07-21T00:00:31Z",
  "published": "2022-07-13T00:01:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34467"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-610768.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHPX-3RV8-WRJM

Vulnerability from github – Published: 2024-06-07 21:16 – Updated: 2024-06-07 21:16
VLAI
Summary
ZendFramework potential XML eXternal Entity injection vectors
Details

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

  • XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
  • XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zendframework1"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T21:16:36Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Numerous components utilizing PHP\u0027s `DOMDocument`, `SimpleXML`, and `xml_parse` functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.\n",
  "id": "GHSA-mhpx-3rv8-wrjm",
  "modified": "2024-06-07T21:16:36Z",
  "published": "2024-06-07T21:16:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2014-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zf1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ZendFramework potential XML eXternal Entity injection vectors"
}

GHSA-MP2W-HJCJ-F5G9

Vulnerability from github – Published: 2024-02-04 21:30 – Updated: 2025-11-04 21:31
VLAI
Details

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-04T20:15:46Z",
    "severity": "MODERATE"
  },
  "details": "libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.",
  "id": "GHSA-mp2w-hjcj-f5g9",
  "modified": "2025-11-04T21:31:05Z",
  "published": "2024-02-04T21:30:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52426"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/pull/777"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libexpat/libexpat/commit/0f075ec8ecb5e43f8fdca5182f8cca4703da0404"
    },
    {
      "type": "WEB",
      "url": "https://cwe.mitre.org/data/definitions/776.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNUBSGZFEZOBHJFTAD42SAN4ATW2VEMV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PNRIHC7DVVRAIWFRGV23Y6UZXFBXSQDB"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240307-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Mitigation
Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CAPEC-197: Exponential Data Expansion

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.