[{"data":1,"prerenderedAt":230},["ShallowReactive",2],{"blog-vulnerabilities/xxe":3},{"id":4,"title":5,"body":6,"category":210,"date":211,"dateModified":211,"description":212,"draft":213,"extension":214,"faq":215,"featured":213,"headerVariant":216,"image":215,"keywords":215,"meta":217,"navigation":218,"ogDescription":219,"ogTitle":215,"path":220,"readTime":221,"schemaOrg":222,"schemaType":223,"seo":224,"sitemap":225,"stem":226,"tags":227,"twitterCard":228,"__hash__":229},"blog/blog/vulnerabilities/xxe.md","XXE (XML External Entity) Explained",{"type":7,"value":8,"toc":197},"minimark",[9,16,21,24,53,57,72,79,83,92,95,112,116,121,124,128,137,141,144,166,185],[10,11,12],"tldr",{},[13,14,15],"p",{},"XXE attacks exploit XML parsers that process external entity references. Attackers can read server files, make requests to internal systems, or cause denial of service. Most modern web apps use JSON instead of XML, making XXE less common. If you do parse XML, disable external entity processing in your parser configuration.",[17,18,20],"h2",{"id":19},"what-is-xxe","What Is XXE?",[13,22,23],{},"XML External Entity (XXE) is a vulnerability in applications that parse XML input. XML allows defining \"entities\" that can reference external resources. If a parser processes these references, attackers can:",[25,26,27,35,41,47],"ul",{},[28,29,30,34],"li",{},[31,32,33],"strong",{},"Read local files:"," Access /etc/passwd, configuration files, source code",[28,36,37,40],{},[31,38,39],{},"Server-Side Request Forgery:"," Make requests to internal systems",[28,42,43,46],{},[31,44,45],{},"Denial of Service:"," Crash the parser with recursive entities",[28,48,49,52],{},[31,50,51],{},"Port scanning:"," Discover internal network services",[17,54,56],{"id":55},"how-xxe-works","How XXE Works",[58,59,61],"code-block",{"label":60},"Malicious XML payload",[62,63,68],"pre",{"className":64,"code":66,"language":67},[65],"language-text","\u003C?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\u003C!DOCTYPE foo [\n  \u003C!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n\u003CuserInfo>\n  \u003Cname>&xxe;\u003C/name>\n\u003C/userInfo>\n\n\u003C!-- When parsed, &xxe; is replaced with contents of /etc/passwd -->\n","text",[69,70,66],"code",{"__ignoreMap":71},"",[13,73,74,75,78],{},"If a vulnerable server parses this XML, it reads ",[69,76,77],{},"/etc/passwd"," and includes its contents in the response or processes it as the user's \"name\".",[17,80,82],{"id":81},"is-my-vibe-coded-app-at-risk","Is My Vibe-Coded App at Risk?",[84,85,86],"success-box",{},[13,87,88,91],{},[31,89,90],{},"Good news:"," Most modern JavaScript/TypeScript apps use JSON for data exchange, not XML. If your app doesn't parse XML, you're not vulnerable to XXE.",[13,93,94],{},"You might be at risk if your app:",[25,96,97,100,103,106,109],{},[28,98,99],{},"Accepts XML uploads (documents, configuration files)",[28,101,102],{},"Integrates with SOAP APIs",[28,104,105],{},"Parses SVG images server-side",[28,107,108],{},"Processes Office documents (DOCX, XLSX are XML-based)",[28,110,111],{},"Uses XML-based configuration",[17,113,115],{"id":114},"how-to-prevent-xxe","How to Prevent XXE",[117,118,120],"h3",{"id":119},"_1-use-json-instead-of-xml","1. Use JSON Instead of XML",[13,122,123],{},"The simplest fix is to not use XML at all. JSON parsers don't have external entity features.",[117,125,127],{"id":126},"_2-disable-external-entities","2. Disable External Entities",[58,129,131],{"label":130},"Safe XML parsing in Node.js",[62,132,135],{"className":133,"code":134,"language":67},[65],"// Using libxmljs2 with safe defaults\nconst libxmljs = require('libxmljs2');\n\nconst doc = libxmljs.parseXml(xmlString, {\n  noent: false,     // Disable entity substitution\n  dtdload: false,   // Don't load external DTDs\n  dtdvalid: false   // Don't validate against DTD\n});\n\n// Or use a library designed to be safe\nconst { XMLParser } = require('fast-xml-parser');\nconst parser = new XMLParser({\n  // fast-xml-parser is XXE-safe by default\n});\n",[69,136,134],{"__ignoreMap":71},[117,138,140],{"id":139},"_3-validate-and-sanitize-xml","3. Validate and Sanitize XML",[13,142,143],{},"If you must accept XML, validate it against a strict schema and reject anything with DOCTYPE declarations.",[145,146,147,154,160],"faq-section",{},[148,149,151],"faq-item",{"question":150},"Can JSON APIs have XXE vulnerabilities?",[13,152,153],{},"No. XXE is specific to XML parsing. JSON parsers don't support external entities. If your API only accepts JSON, you're not vulnerable to XXE.",[148,155,157],{"question":156},"Are SVG files dangerous?",[13,158,159],{},"SVGs are XML-based and can contain XXE payloads. If you parse SVG files server-side (for resizing, converting), ensure your parser has external entities disabled.",[148,161,163],{"question":162},"What about Office document uploads?",[13,164,165],{},"DOCX, XLSX, and PPTX files are ZIP archives containing XML. Libraries that process these files should be configured to disable external entity processing.",[167,168,169,175,180],"related-articles",{},[170,171],"related-card",{"description":172,"href":173,"title":174},"Server-side request forgery","/blog/vulnerabilities/ssrf","SSRF Explained",[170,176],{"description":177,"href":178,"title":179},"Another injection attack","/blog/vulnerabilities/sql-injection","SQL Injection",[170,181],{"description":182,"href":183,"title":184},"Safe file handling","/blog/checklists/file-upload-checklist","File Upload Security",[186,187,190,194],"cta-box",{"href":188,"label":189},"/","Start Free Scan",[17,191,193],{"id":192},"check-your-xml-handling","Check Your XML Handling",[13,195,196],{},"Our scanner tests for XXE vulnerabilities in your file upload endpoints.",{"title":71,"searchDepth":198,"depth":198,"links":199},2,[200,201,202,203,209],{"id":19,"depth":198,"text":20},{"id":55,"depth":198,"text":56},{"id":81,"depth":198,"text":82},{"id":114,"depth":198,"text":115,"children":204},[205,207,208],{"id":119,"depth":206,"text":120},3,{"id":126,"depth":206,"text":127},{"id":139,"depth":206,"text":140},{"id":192,"depth":198,"text":193},"vulnerabilities","2026-01-27","XXE attacks exploit XML parsers to read files, make server requests, or crash applications. Learn how XXE works and why modern apps that don't use XML are usually safe.",false,"md",null,"red",{},true,"Learn how XML External Entity attacks work and when your app might be vulnerable.","/blog/vulnerabilities/xxe","6 min read","[object Object]","TechArticle",{"title":5,"description":212},{"loc":220},"blog/vulnerabilities/xxe",[],"summary_large_image","JtOytpSgmGL78_YjTO5681gLi4S_elEJDdAgwTpaP9Q",1775843926362]