Common Weakness Enumeration

CWE-776

Allowed

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Abstraction: Base · Status: Draft

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

142 vulnerabilities reference this CWE, most recent first.

GHSA-8GC5-J5RX-235R

Vulnerability from github – Published: 2026-03-17 19:45 – Updated: 2026-03-25 14:31
VLAI
Summary
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Details

Summary

The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (<, >, etc.) are processed through a separate code path that does NOT enforce any expansion limits.

An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.

Affected Versions

fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)

Root Cause

In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:

  1. Lines 638-670: DOCTYPE entities — expansion counting with entityExpansionCount and currentExpandedLength tracking. This was the CVE-2026-26278 fix.
  2. Lines 674-677: lastEntities loop — replaces standard entities including num_dec (/&#([0-9]{1,7});/g) and num_hex (/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.

The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.

Proof of Concept

const { XMLParser } = require('fast-xml-parser');

// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
  processEntities: {
    enabled: true,
    maxTotalExpansions: 10,
    maxExpandedLength: 100,
    maxEntityCount: 1,
    maxEntitySize: 10
  }
});

// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'&#65;'.repeat(100000)}</root>`;
const result = parser.parse(xml);

// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length);  // 500000
console.log('Expected max:', 100);  // limit was 100

Results: - 100K &#65; references → 500,000 char output (5x default maxExpandedLength of 100,000) - 1M references → 5,000,000 char output, ~147MB memory consumed - Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars - Hex entities (&#x41;) exhibit the same bypass

Impact

Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause: - Excessive memory allocation (147MB+ for 1M entity references) - CPU consumption during regex replacement - Potential process crash via OOM

This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.

Suggested Fix

Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.

Workaround

Set htmlEntities:false

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "fast-xml-parser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-beta.3"
            },
            {
              "fixed": "4.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T19:45:41Z",
    "nvd_published_at": "2026-03-20T06:16:11Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe fix for CVE-2026-26278 added entity expansion limits (`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`, `maxEntitySize`) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. **Numeric character references** (`\u0026#NNN;` and `\u0026#xHH;`) and standard XML entities (`\u0026lt;`, `\u0026gt;`, etc.) are processed through a separate code path that does NOT enforce any expansion limits.\n\nAn attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.\n\n## Affected Versions\n\nfast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)\n\n## Root Cause\n\nIn `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()` function has two separate entity replacement loops:\n\n1. **Lines 638-670**: DOCTYPE entities \u2014 expansion counting with `entityExpansionCount` and `currentExpandedLength` tracking. This was the CVE-2026-26278 fix.\n2. **Lines 674-677**: `lastEntities` loop \u2014 replaces standard entities including `num_dec` (`/\u0026#([0-9]{1,7});/g`) and `num_hex` (`/\u0026#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at all.**\n\nThe numeric entity regex replacements at lines 97-98 are part of `lastEntities` and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.\n\n## Proof of Concept\n\n```javascript\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\n// Even with strict explicit limits, numeric entities bypass them\nconst parser = new XMLParser({\n  processEntities: {\n    enabled: true,\n    maxTotalExpansions: 10,\n    maxExpandedLength: 100,\n    maxEntityCount: 1,\n    maxEntitySize: 10\n  }\n});\n\n// 100K numeric entity references \u2014 should be blocked by maxTotalExpansions=10\nconst xml = `\u003croot\u003e${\u0027\u0026#65;\u0027.repeat(100000)}\u003c/root\u003e`;\nconst result = parser.parse(xml);\n\n// Output: 500,000 chars \u2014 bypasses maxExpandedLength=100 completely\nconsole.log(\u0027Output length:\u0027, result.root.length);  // 500000\nconsole.log(\u0027Expected max:\u0027, 100);  // limit was 100\n```\n\n**Results:**\n- 100K `\u0026#65;` references \u2192 500,000 char output (5x default maxExpandedLength of 100,000)\n- 1M references \u2192 5,000,000 char output, ~147MB memory consumed\n- Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K references produce 50,000 chars\n- Hex entities (`\u0026#x41;`) exhibit the same bypass\n\n## Impact\n\n**Denial of Service** \u2014 An attacker who can provide XML input to applications using fast-xml-parser can cause:\n- Excessive memory allocation (147MB+ for 1M entity references)\n- CPU consumption during regex replacement\n- Potential process crash via OOM\n\nThis is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.\n\n## Suggested Fix\n\nApply the same `entityExpansionCount` and `currentExpandedLength` tracking to the `lastEntities` loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.\n\n## Workaround\n\nSet `htmlEntities:false`",
  "id": "GHSA-8gc5-j5rx-235r",
  "modified": "2026-03-25T14:31:39Z",
  "published": "2026-03-17T19:45:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
}

GHSA-8X2V-PCG7-94F4

Vulnerability from github – Published: 2024-06-07 21:49 – Updated: 2024-06-07 21:49
VLAI
Summary
Zend-JSON vulnerable to XXE/XEE attacks
Details

Numerous components utilizing PHP's DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:

  • XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.
  • XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zend-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendframework/zend-json"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T21:49:11Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "Numerous components utilizing PHP\u0027s DOMDocument, SimpleXML, and xml_parse functionality are vulnerable to two types of attacks:\n\n- XML eXternal Entity (XXE) Injection attacks. The above mentioned extensions are insecure by default, allowing external entities to be specified by adding a specific DOCTYPE element to XML documents and strings. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.\n- XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.",
  "id": "GHSA-8x2v-pcg7-94f4",
  "modified": "2024-06-07T21:49:11Z",
  "published": "2024-06-07T21:49:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/078e77a6e59cdbf32a94691afe3523db340f5da9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/7a747fbefe566c28a94b7e7ca37c15fc09ba4754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/865f96ecbc5e080fccb5e75304ce06ac57d2ce22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/89fc6f760478dc15519cb3ef4e4976425dc6ee10"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/9fe5103dc9be472fa0a443ca36619a2953b6f88e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendframework/zend-json/commit/acc60fc3fe56f5b0ad218c4c5789b21f11bc3a89"
    },
    {
      "type": "WEB",
      "url": "https://framework.zend.com/security/advisory/ZF2014-01"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zend-json/ZF2014-01.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zendframework/zend-json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zend-JSON vulnerable to XXE/XEE attacks"
}

GHSA-8X79-XCGH-GHVM

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38490"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-10T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Altova MobileTogether Server before 7.3 SP1 allows XML exponential entity expansion, a different vulnerability than CVE-2021-37425.",
  "id": "GHSA-8x79-xcgh-ghvm",
  "modified": "2022-05-24T19:10:48Z",
  "published": "2022-05-24T19:10:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38490"
    },
    {
      "type": "WEB",
      "url": "https://www.redteam-pentesting.de/advisories/rt-sa-2021-002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-8XGG-2WJC-GWGJ

Vulnerability from github – Published: 2022-10-11 19:00 – Updated: 2022-10-13 19:00
VLAI
Details

Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-34430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-11T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.",
  "id": "GHSA-8xgg-2wjc-gwgj",
  "modified": "2022-10-13T19:00:19Z",
  "published": "2022-10-11T19:00:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34430"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000203345/dsa-2022-260-dell-hybrid-client-security-update-for-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-93HF-XXFJ-6GX3

Vulnerability from github – Published: 2022-05-24 19:14 – Updated: 2022-05-24 19:14
VLAI
Details

XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-31842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-17T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.",
  "id": "GHSA-93hf-xxfj-6gx3",
  "modified": "2022-05-24T19:14:57Z",
  "published": "2022-05-24T19:14:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31842"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9882-28WJ-G67P

Vulnerability from github – Published: 2022-05-24 17:09 – Updated: 2024-03-21 03:33
VLAI
Details

An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9352"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-02-23T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.",
  "id": "GHSA-9882-28wj-g67p",
  "modified": "2024-03-21T03:33:54Z",
  "published": "2022-05-24T17:09:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9352"
    },
    {
      "type": "WEB",
      "url": "https://blog.certimetergroup.com/it/articolo/security/smartclient-v12-xml-external-entity--cve-2020-9352"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2020/Feb/18"
    },
    {
      "type": "WEB",
      "url": "https://www-demos.smartclient.com/smartclient-12.0/isomorphic/system/reference/?id=group..toolsDeployment"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F4Q-Q82Q-4359

Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-18 15:21
VLAI
Summary
Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks
Details

Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "docling"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.61.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31248"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T15:21:03Z",
    "nvd_published_at": "2026-05-11T17:16:19Z",
    "severity": "HIGH"
  },
  "details": "Docling\u0027s METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can craft a malicious XML file with nested entity definitions (XML Bomb) and package it into a .tar.gz archive. When processed by Docling, the exponential expansion of entities during XML parsing leads to excessive resource consumption, resulting in a denial of service (DoS) condition on the system running the Docling parser.",
  "id": "GHSA-9f4q-q82q-4359",
  "modified": "2026-05-18T15:21:03Z",
  "published": "2026-05-11T18:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31248"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/docling-project/docling"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/CVE-2026-31248-35d1e1393188818585b2ce3b9ce24686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Docling\u0027s METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks"
}

GHSA-9FMG-89FX-R33W

Vulnerability from github – Published: 2022-06-29 22:39 – Updated: 2022-07-11 19:25
VLAI
Summary
Quadratic blowup in Convert::xml2array()
Details

Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "silverstripe/framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.10.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T22:39:50Z",
    "nvd_published_at": "2022-06-28T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Silverstripe silverstripe/framework 4.x until 4.10.9 has a quadratic blowup in Convert::xml2array() that enables a remote attack via a crafted XML document.",
  "id": "GHSA-9fmg-89fx-r33w",
  "modified": "2022-07-11T19:25:18Z",
  "published": "2022-06-29T22:39:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41559"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/CVE-2021-41559.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/silverstripe/silverstripe-framework/releases"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases"
    },
    {
      "type": "WEB",
      "url": "https://www.silverstripe.org/download/security-releases/cve-2021-41559"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Quadratic blowup in Convert::xml2array()"
}

GHSA-9FP8-GJQ2-822P

Vulnerability from github – Published: 2023-08-31 15:30 – Updated: 2024-04-04 07:20
VLAI
Details

A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41635"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-31T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "A XML External Entity (XXE) vulnerability in the VerifichePeriodiche.aspx component of GruppoSCAI RealGimm v1.1.37p38 allows attackers to read any file in the filesystem via supplying a crafted XML file.",
  "id": "GHSA-9fp8-gjq2-822p",
  "modified": "2024-04-04T07:20:29Z",
  "published": "2023-08-31T15:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41635"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CapgeminiCisRedTeam/Disclosure/blob/f7aafa9fcd4efa30071c7f77d3e9e6b14e92302b/CVE%20PoC/CVE-2023-41635%20%7C%20RealGimm%20-%20XML%20External%20Entity%20Injection.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/CapgeminiCisRedTeam/Disclosure/blob/main/CVE%20PoC/CVE-ID%20%7C%20RealGimm%20-%20XML%20External%20Entity%20Injection.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GCV-G5Q9-F633

Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-08-06 00:00
VLAI
Details

It has been discovered that redhat-certification does not properly limit the number of recursive definitions of entities in XML documents while parsing the status of a host. A remote attacker could use this vulnerability to consume all the memory of the server and cause a Denial of Service. This flaw affects redhat-certification version 7.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-776"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-26T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "It has been discovered that redhat-certification does not properly limit the number of recursive definitions of entities in XML documents while parsing the status of a host. A remote attacker could use this vulnerability to consume all the memory of the server and cause a Denial of Service. This flaw affects redhat-certification version 7.",
  "id": "GHSA-9gcv-g5q9-f633",
  "modified": "2022-08-06T00:00:44Z",
  "published": "2022-05-24T19:03:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10868"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-10868"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593776"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Operation

If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.

Mitigation
Implementation

Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

CAPEC-197: Exponential Data Expansion

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.