Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Parsing XML input from users with the ’node-expat’ library without proper validation or disabling external entities can expose your code to XML External Entity (XXE) attacks. This happens when untrusted XML data is processed without restrictions.
Impact#
If exploited, attackers could read sensitive files from your server, perform server-side request forgery (SSRF), or potentially execute denial-of-service attacks. This can lead to data breaches, unauthorized access to internal resources, and compromise of the application’s security.