Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
The application passes user-supplied data directly to the XML parser (using node-expat) without proper validation or sanitization. This can allow attackers to craft malicious XML that the parser processes unsafely.
Impact#
If exploited, attackers could read sensitive files from your server, access internal resources, or trigger denial of service by abusing XML External Entity (XXE) processing. This can lead to data breaches, information leakage, or service disruption.