CWE-776
AllowedImproper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Abstraction: Base · Status: Draft
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
142 vulnerabilities reference this CWE, most recent first.
GHSA-QC7W-4567-84WV
Vulnerability from github – Published: 2024-06-07 20:30 – Updated: 2024-06-07 20:30Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:
- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "zendframework/zendframework"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T20:30:06Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
"id": "GHSA-qc7w-4567-84wv",
"modified": "2024-06-07T20:30:06Z",
"published": "2024-06-07T20:30:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/225a8c9f1c3bc08c0bddf22486a8a39ff7186ac1"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/5dab7b8e77741dbba56209616b7815bb04f4c561"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/68d0756c596baeefad0b733b42ef2657d09c7f4e"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/bbcf41e676ef6d8f16ea9d6499050bca0787eb6c"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/ee7f81cc996fb1c16c7dae23eca9ec013ab74730"
},
{
"type": "WEB",
"url": "https://github.com/zendframework/zendframework/commit/fbeba98d5a9924b026a5dd98f679143fd6be89ea"
},
{
"type": "WEB",
"url": "https://framework.zend.com/security/advisory/ZF2014-01"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework/ZF2014-01.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zendframework/zendframework"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Zendframework vulnerable to XXE/XEE attacks"
}
GHSA-QPMC-WPRV-X746
Vulnerability from github – Published: 2022-04-12 21:31 – Updated: 2022-04-12 21:31The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.
{
"affected": [
{
"package": {
"ecosystem": "Hex",
"name": "sweet_xml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-15160"
],
"database_specific": {
"cwe_ids": [
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-12T21:31:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.",
"id": "GHSA-qpmc-wprv-x746",
"modified": "2022-04-12T21:31:26Z",
"published": "2022-04-12T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15160"
},
{
"type": "WEB",
"url": "https://github.com/kbrw/sweet_xml/issues/71"
},
{
"type": "PACKAGE",
"url": "https://github.com/kbrw/sweet_xml"
},
{
"type": "WEB",
"url": "https://hex.pm/packages/sweet_xml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Inline DTD allows XML bomb attack"
}
GHSA-QW4H-3XJJ-84CC
Vulnerability from github – Published: 2023-12-01 00:31 – Updated: 2025-11-04 18:12The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.
This issue affects Apache Tiles from version 2 onwards.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tiles:tiles-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.struts:struts-tiles"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"last_affected": "1.3.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "struts:struts"
},
"ranges": [
{
"events": [
{
"introduced": "1.1"
},
{
"last_affected": "1.2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-49735"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2023-12-11T21:45:42Z",
"nvd_published_at": "2023-11-30T22:15:09Z",
"severity": "HIGH"
},
"details": "The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the \u0027tiles-test\u0027 application shipped with Tiles.\n\nThis issue affects Apache Tiles from version 2 onwards.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-qw4h-3xjj-84cc",
"modified": "2025-11-04T18:12:32Z",
"published": "2023-12-01T00:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49735"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tiles"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom1zl65p"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Tiles: Unvalidated input may lead to path traversal and XXE"
}
GHSA-R3XG-RG9J-67FV
Vulnerability from github – Published: 2026-06-03 21:13 – Updated: 2026-06-03 21:13Impact
The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity (XXE) attacks to read local files or cause denial of service - Decompression bombs (zip bombs) to exhaust memory and disk space - Unbounded archive extraction consuming system resources
An attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.
Patches
Fixed in version 2.91.0. The fix implements:
- Secure XML parsing with resolve_entities=False, load_dtd=False, and no_network=True
- Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count
- Cumulative size tracking across all extractions
- Early termination when limits are exceeded
- Secure format detection of METS-GBS tar archives with _detect_mets_gbs() method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded
Workarounds
Avoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.
References
- Fix release: v2.91.0
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "docling"
},
"ranges": [
{
"events": [
{
"introduced": "2.45.0"
},
{
"fixed": "2.91.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44018"
],
"database_specific": {
"cwe_ids": [
"CWE-409",
"CWE-611",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-03T21:13:32Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThe METS-GBS backend\u0027s XML parsing and the input document format detection lacked security controls, enabling:\n- XML External Entity (XXE) attacks to read local files or cause denial of service\n- Decompression bombs (zip bombs) to exhaust memory and disk space\n- Unbounded archive extraction consuming system resources\n\nAn attacker could craft malicious METS-GBS archives that, when processed, could read sensitive files, exhaust system resources, or cause application crashes.\n\n### Patches\nFixed in version 2.91.0. The fix implements:\n- Secure XML parsing with `resolve_entities=False`, `load_dtd=False`, and `no_network=True`\n- Configurable limits: 300 MB total extraction size, 10 MB per file, 1000 member count\n- Cumulative size tracking across all extractions\n- Early termination when limits are exceeded\n- Secure format detection of METS-GBS tar archives with `_detect_mets_gbs()` method: maximum file size (10 MB per file), maximum member count (1000 members), and exception handling to gracefully fail when limits are exceeded\n\n### Workarounds\nAvoid processing METS-GBS archives from untrusted sources. If necessary, pre-validate archives in an isolated environment with resource limits.\n\n### References\n- Fix release: [v2.91.0](https://github.com/docling-project/docling/releases/tag/v2.91.0)",
"id": "GHSA-r3xg-rg9j-67fv",
"modified": "2026-06-03T21:13:33Z",
"published": "2026-06-03T21:13:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/docling-project/docling/security/advisories/GHSA-r3xg-rg9j-67fv"
},
{
"type": "PACKAGE",
"url": "https://github.com/docling-project/docling"
},
{
"type": "WEB",
"url": "https://github.com/docling-project/docling/releases/tag/v2.91.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend"
}
GHSA-R777-X2JC-XGC6
Vulnerability from github – Published: 2022-05-24 17:31 – Updated: 2022-05-24 17:31An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-25186"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-22T21:15:00Z",
"severity": "HIGH"
},
"details": "An XXE vulnerability exists within LeviStudioU Release Build 2019-09-21 and prior when processing parameter entities, which may allow file disclosure.",
"id": "GHSA-r777-x2jc-xgc6",
"modified": "2022-05-24T17:31:58Z",
"published": "2022-05-24T17:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25186"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-238-03"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RFHM-XWGJ-V2Q9
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.
{
"affected": [],
"aliases": [
"CVE-2020-24052"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "Several XML External Entity (XXE) vulnerabilities in the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units allow remote unauthenticated users to read arbitrary files via a crafted Document Type Definition (DTD) in an XML request.",
"id": "GHSA-rfhm-xwgj-v2q9",
"modified": "2022-05-24T17:26:19Z",
"published": "2022-05-24T17:26:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24052"
},
{
"type": "WEB",
"url": "https://ioac.tv/3hy1xu6"
},
{
"type": "WEB",
"url": "https://ioactive.com/moog-exo-series-multiple-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RPCF-XW9J-7C7J
Vulnerability from github – Published: 2022-05-17 01:59 – Updated: 2024-02-02 15:30jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
{
"affected": [],
"aliases": [
"CVE-2011-1755"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-06-21T02:52:00Z",
"severity": "MODERATE"
},
"details": "jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.",
"id": "GHSA-rpcf-xw9j-7c7j",
"modified": "2024-02-02T15:30:27Z",
"published": "2022-05-17T01:59:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1755"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=700390"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67770"
},
{
"type": "WEB",
"url": "https://hermes.opensuse.org/messages/9197650"
},
{
"type": "WEB",
"url": "http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/44787"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/44957"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/45112"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT5002"
},
{
"type": "WEB",
"url": "http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html"
},
{
"type": "WEB",
"url": "http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0881.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0882.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/48250"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RPRC-6FR2-45V9
Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2022-05-24 17:09An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.
{
"affected": [],
"aliases": [
"CVE-2020-9354"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-23T02:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. path traversal.",
"id": "GHSA-rprc-6fr2-45v9",
"modified": "2022-05-24T17:09:30Z",
"published": "2022-05-24T17:09:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9354"
},
{
"type": "WEB",
"url": "https://seclists.org/fulldisclosure/2020/Feb/18"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RVWF-54QP-4R6V
Vulnerability from github – Published: 2021-06-04 21:37 – Updated: 2022-08-11 21:47The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.yaml:snakeyaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-18640"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2021-06-04T21:34:16Z",
"nvd_published_at": "2019-12-12T03:15:00Z",
"severity": "HIGH"
},
"details": "The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.",
"id": "GHSA-rvwf-54qp-4r6v",
"modified": "2022-08-11T21:47:32Z",
"published": "2021-06-04T21:37:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d@%3Ccommon-dev.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2@%3Cpr.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95@%3Ccommits.servicecomb.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a@%3Ccommits.pulsar.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b@%3Cdev.phoenix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da@%3Ccommits.pulsar.apache.org%3E"
},
{
"type": "PACKAGE",
"url": "https://bitbucket.org/asomov/snakeyaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a@%3Ccommits.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6"
},
{
"type": "WEB",
"url": "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-28"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"type": "WEB",
"url": "https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c"
},
{
"type": "WEB",
"url": "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion"
},
{
"type": "WEB",
"url": "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack"
},
{
"type": "WEB",
"url": "https://bitbucket.org/asomov/snakeyaml/wiki/Changes"
},
{
"type": "WEB",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/377"
},
{
"type": "WEB",
"url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457@%3Ccommits.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8@%3Ccommon-commits.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854@%3Ccommits.pulsar.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e@%3Cdev.phoenix.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14@%3Ccommits.servicecomb.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422@%3Cdev.atlas.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25@%3Ccommits.cassandra.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda@%3Ccommon-issues.hadoop.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea@%3Ccommits.pulsar.apache.org%3E"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "SnakeYAML Entity Expansion during load operation"
}
GHSA-VMWR-MC7X-5VC3
Vulnerability from github – Published: 2024-08-22 16:40 – Updated: 2025-11-03 22:47Impact
The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.
If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.
Patches
The REXML gem 3.3.6 or later include the patch to fix the vulnerability.
Workarounds
Don't parse untrusted XMLs with tree parser API.
References
- https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rexml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-43398"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2024-08-22T16:40:46Z",
"nvd_published_at": "2024-08-22T15:15:16Z",
"severity": "HIGH"
},
"details": "### Impact\n\nThe REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.\n\nIf you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.\n\n### Patches\n\nThe REXML gem 3.3.6 or later include the patch to fix the vulnerability.\n\n### Workarounds\n\nDon\u0027t parse untrusted XMLs with tree parser API.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org",
"id": "GHSA-vmwr-mc7x-5vc3",
"modified": "2025-11-03T22:47:47Z",
"published": "2024-08-22T16:40:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43398"
},
{
"type": "WEB",
"url": "https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/rexml"
},
{
"type": "WEB",
"url": "https://github.com/ruby/rexml/releases/tag/v3.3.6"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2024-43398.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250103-0006"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "REXML denial of service vulnerability"
}
Mitigation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Mitigation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
CAPEC-197: Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.