XXE (XML External Entity) Explained

January 20266 min readVulnerability Guides
Share

TL;DR

XXE attacks exploit XML parsers that process external entity references. Attackers can read server files, make requests to internal systems, or cause denial of service. Most modern web apps use JSON instead of XML, making XXE less common. If you do parse XML, disable external entity processing in your parser configuration.

What Is XXE?

XML External Entity (XXE) is a vulnerability in applications that parse XML input. XML allows defining "entities" that can reference external resources. If a parser processes these references, attackers can:

  • Read local files: Access /etc/passwd, configuration files, source code
  • Server-Side Request Forgery: Make requests to internal systems
  • Denial of Service: Crash the parser with recursive entities
  • Port scanning: Discover internal network services

How XXE Works

Malicious XML payload
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<userInfo>
  <name>&xxe;</name>
</userInfo>

<!-- When parsed, &xxe; is replaced with contents of /etc/passwd -->

If a vulnerable server parses this XML, it reads /etc/passwd and includes its contents in the response or processes it as the user's "name".

Is My Vibe-Coded App at Risk?

Good news: Most modern JavaScript/TypeScript apps use JSON for data exchange, not XML. If your app doesn't parse XML, you're not vulnerable to XXE.

You might be at risk if your app:

  • Accepts XML uploads (documents, configuration files)
  • Integrates with SOAP APIs
  • Parses SVG images server-side
  • Processes Office documents (DOCX, XLSX are XML-based)
  • Uses XML-based configuration

How to Prevent XXE

1. Use JSON Instead of XML

The simplest fix is to not use XML at all. JSON parsers don't have external entity features.

2. Disable External Entities

Safe XML parsing in Node.js
// Using libxmljs2 with safe defaults
const libxmljs = require('libxmljs2');

const doc = libxmljs.parseXml(xmlString, {
  noent: false,     // Disable entity substitution
  dtdload: false,   // Don't load external DTDs
  dtdvalid: false   // Don't validate against DTD
});

// Or use a library designed to be safe
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({
  // fast-xml-parser is XXE-safe by default
});

3. Validate and Sanitize XML

If you must accept XML, validate it against a strict schema and reject anything with DOCTYPE declarations.

Can JSON APIs have XXE vulnerabilities?

No. XXE is specific to XML parsing. JSON parsers don't support external entities. If your API only accepts JSON, you're not vulnerable to XXE.

Are SVG files dangerous?

SVGs are XML-based and can contain XXE payloads. If you parse SVG files server-side (for resizing, converting), ensure your parser has external entities disabled.

What about Office document uploads?

DOCX, XLSX, and PPTX files are ZIP archives containing XML. Libraries that process these files should be configured to disable external entity processing.

Related Articles

SSRF Explained

Server-side request forgery

SQL Injection

Another injection attack

File Upload Security

Safe file handling

Check Your XML Handling

Our scanner tests for XXE vulnerabilities in your file upload endpoints.

Start Free Scan
Vulnerability Guides

XXE (XML External Entity) Explained