CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Base EXPLOIT LIKELIHOOD: MEDIUM

What it is

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Impact

Availability

DoS: Resource Consumption (Other)

Mitigations

[Operation] If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
[Implementation] Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

Real-world CVE examples

CVE-2008-3281 — XEE in XML-parsing library.
CVE-2011-3288 — XML bomb / XEE in enterprise communication product.
CVE-2011-1755 — "Billion laughs" attack in XMPP server daemon.
CVE-2009-1955 — XML bomb in web server module
CVE-2003-1564 — Parsing library allows XML bomb

Related weaknesses

CWE-674 (childof)CWE-405 (childof)

Test & detect

Browse all common weaknesses, check related exploited CVEs, or map to ATT&CK techniques.

Source: MITRE CWE. View on cwe.mitre.org →