Improper Restriction of XML External Entity Reference
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-611: Improper Restriction of XML External Entity Reference |
| OWASP | A04:2017 - XML External Entities (XXE) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description#
Parsing untrusted XML data using Python’s built-in xml library can expose your application to XML External Entity (XXE) attacks. This occurs because the default parser does not securely handle external entities, making it unsafe for untrusted input.
Impact#
If exploited, attackers could read sensitive files from your server, perform server-side request forgery (SSRF), or trigger denial-of-service attacks with malicious XML payloads. This can lead to data breaches, system downtime, and compromise of internal systems.