XXe

XXe, short for XML External Entity, is a security vulnerability that arises when an XML parser processes untrusted input containing references to external entities. If the parser resolves these entities, an attacker may access local files, make requests from the server to internal or external resources, or consume excessive resources, leading to information disclosure, server-side request forgery (SSRF), or denial of service.

Mechanism: In XML, a document can declare a DOCTYPE with an ENTITY that points to a system

Impact: In vulnerable deployments, XXe can enable disclosure of sensitive configuration data, credentials, or internal file

Mitigation: Disable DTD processing and external entity resolution in XML parsers, or enable secure processing modes