1. Home
  2. CWE Database
  3. CWE-611
Base · Medium

CWE-611: Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into...

CWE-611 · Base Level ·11 CVEs ·1 Mitigations

Description

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

XXE Injection Guide

Read our in-depth guide on exploiting and mitigating this weakness

Potential Impact

Confidentiality

Read Application Data, Read Files or Directories

Integrity

Bypass Protection Mechanism

Availability

DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Mitigations & Prevention

ImplementationSystem Configuration

Many XML parsers and validators can be configured to disable external entity expansion.

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2022-42745Recruiter software allows reading arbitrary files using XXE
CVE-2005-1306A browser control can allow remote attackers to determine the existence of files via Javascript containing XML script.
CVE-2012-5656XXE during SVG image conversion
CVE-2012-2239XXE in PHP application allows reading the application's configuration file.
CVE-2012-3489XXE in database server
CVE-2012-4399XXE in rapid web application development framework allows reading arbitrary files.
CVE-2012-3363XXE via XML-RPC request.
CVE-2012-0037XXE in office document product using RDF.
CVE-2011-4107XXE in web-based administration tool for database.
CVE-2010-3322XXE in product that performs large-scale data analysis.
CVE-2009-1699XXE in XSL stylesheet functionality in a common library used by some web browsers.

CWE-610: Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended ...

CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently ...

Taxonomy Mappings

  • WASC: 43 — XML External Entities
  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-611?

CWE-611 (Improper Restriction of XML External Entity Reference) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into...

How can CWE-611 be exploited?

Attackers can exploit CWE-611 (Improper Restriction of XML External Entity Reference) to read application data, read files or directories. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-611?

Key mitigations include: Many XML parsers and validators can be configured to disable external entity expansion.

What is the severity of CWE-611?

CWE-611 is classified as a Base-level weakness (Medium abstraction). It has been observed in 11 real-world CVEs.