Fix XML External Entity (XXE) Vulnerability in XML Parsing (CWE-611) #170
Description
Describe the Software Vulnerability
The software improperly handles XML input using DocumentBuilderFactory, which does not restrict XML External Entity (XXE) processing. This vulnerability allows attackers to exploit XML parsing to access sensitive server files, execute server-side requests, or overload the server with malicious XML content.
Type of Vulnerability
XML External Entity (XXE) Injection
CVE
CWE-611: Improper Restriction of XML External Entity Reference
Expected outcome
After refactoring, the XML parser will be securely configured to disallow the processing of external entities and DTDs, effectively mitigating the risk of XXE attacks. The application will be protected from sensitive data leaks, denial-of-service attacks, and unauthorized external requests.
Code before refactoring
Code after refactoring
Additional context
This vulnerability could expose sensitive server files, enable unauthorized requests (SSRF), or cause server crashes through malicious XML. Fixing it ensures secure XML processing and protects server resources