XML External Entity High

XML parsers that do not restrict external entity processing can enable XML external entity (XXE) attacks. This allows server-side request forgery and information disclosure vulnerabilities. XML parsing code should configure the parser to disable external entities to prevent XXE. Libxml2's XMLParseNoEnt option prevents external entity processing, mitigating the risk of XXE issues.

Detector ID
go/xml-external-entity@v1.0
Category
Common Weakness Enumeration (CWE) external icon