Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-776 (DTD中递归实体索引的不恰当限制(XML实体扩展)) — Vulnerability Class 24

24 vulnerabilities classified as CWE-776 (DTD中递归实体索引的不恰当限制(XML实体扩展)). AI Chinese analysis included.

CWE-776 represents a critical input validation weakness where applications fail to restrict recursive entity references within Document Type Definitions (DTDs). Attackers typically exploit this vulnerability by crafting malicious XML payloads containing deeply nested or circular entity definitions. When the parser processes these structures, it triggers an exponential expansion of data, rapidly consuming available memory and CPU resources. This uncontrolled growth leads to a denial of service, effectively crashing the application or rendering the server unresponsive to legitimate users. To mitigate this risk, developers must implement strict limits on entity expansion depth and disable DTD processing entirely when not required. Utilizing secure XML parsers that enforce resource constraints and validating input against known safe schemas are essential practices for preventing XML entity expansion attacks and ensuring system stability.

MITRE CWE Description
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.
Common Consequences (1)
AvailabilityDoS: Resource Consumption (Other)
If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.
Mitigations (2)
OperationIf possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
ImplementationBefore parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.
Examples (1)
The DTD and the very brief XML below illustrate what is meant by an XML bomb. The ZERO entity contains one character, the letter A. The choice of entity name ZERO is being used to indicate length equivalent to that exponent on two, that is, the length of ZERO is 2^0. Similarly, ONE refers to ZERO twice, therefore the XML parser will expand ONE to a length of 2, or 2^1. Ultimately, we reach entity …
<?xml version="1.0"?> <!DOCTYPE MaliciousDTD [ <!ENTITY ZERO "A"> <!ENTITY ONE "&ZERO;&ZERO;"> <!ENTITY TWO "&ONE;&ONE;"> ... <!ENTITY THIRTYTWO "&THIRTYONE;&THIRTYONE;"> ]> <data>&THIRTYTWO;</data>
Attack · XML
CVE IDTitleCVSSSeverityPublished
CVE-2026-40260 pypdf: Manipulated XMP metadata entity declarations can exhaust RAM — pypdf 6.5AIMediumAI2026-04-16
CVE-2026-33036 fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) — fast-xml-parser 7.5 High2026-03-20
CVE-2026-29074 SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs) — svgo 7.5 High2026-03-06
CVE-2026-27807 MarkUs: YAML alias (‘billion laughs’) DoS in config upload — Markus 4.9 Medium2026-03-06
CVE-2026-26278 fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) — fast-xml-parser 7.5 High2026-02-19
CVE-2025-20369 Extensible Markup Language (XML) External Entity Injection (XXE) through Dashboard label field on Splunk Enterprise — Splunk Enterprise 4.6 Medium2025-10-01
CVE-2025-5466 Ivanti多款产品 安全漏洞 — Connect Secure 4.9 Medium2025-08-12
CVE-2025-3225 XML Entity Expansion vulnerability in run-llama/llama_index — run-llama/llama_index 7.5 -2025-07-07
CVE-2025-0617 Trellix HX 安全漏洞 — Trellix HX Console 5.9 Medium2025-01-29
CVE-2024-43398 REXML denial of service vulnerability — rexml 5.9 Medium2024-08-22
CVE-2024-28982 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference — Pentaho Business Analytics Server 7.1 High2024-06-26
CVE-2024-27142 Pre-authenticated XXE injection — Toshiba Tec e-Studio multi-function peripheral (MFP) 5.9 Medium2024-06-14
CVE-2024-27141 Pre-authenticated Time-Based Blind XXE injection — Toshiba Tec e-Studio multi-function peripheral (MFP) 5.9 Medium2024-06-14
CVE-2024-1455 Billion Laughs Attack leading to DoS in langchain-ai/langchain — langchain-ai/langchain 7.5AIHighAI2024-03-26
CVE-2023-3569 PHOENIX CONTACT: Denial-of-Service due to malicious XML files in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT — CLOUD CLIENT 1101T-TX/TX 4.9 Medium2023-08-08
CVE-2023-28118 kaml has potential denial of service while parsing input with anchors and aliases — kaml 7.5 High2023-03-20
CVE-2022-0217 Prosodical Thoughts Prosody安全漏洞 — prosody 9.1 -2022-08-26
CVE-2022-34467 Siemens Mendix Excel Importer Module 安全漏洞 — Mendix Excel Importer Module (Mendix 8 compatible) 6.5 -2022-07-12
CVE-2021-31842 McAfee Endpoint Security 代码问题漏洞 — McAfee Endpoint Security (ENS) for WIndows 5.0 Medium2021-09-17
CVE-2021-32623 Opencast vulnerable to billion laughs attack (XML bomb) — opencast 8.1 High2021-06-15
CVE-2021-1267 Cisco Firepower Management Center XML Entity Expansion Vulnerability — Cisco Firepower Management Center 6.5 -2021-01-13
CVE-2020-5227 Feedgen Vulnerable to XML Denial of Service Attacks — python-feedgen 4.4 Medium2020-01-28
CVE-2019-5442 Pippo 资源管理错误漏洞 — Pippo 7.5 -2019-06-12
CVE-2019-5427 c3p0 资源管理错误漏洞 — c3p0 7.5 -2019-04-22

Vulnerabilities classified as CWE-776 (DTD中递归实体索引的不恰当限制(XML实体扩展)) represent 24 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.