The product accepts XML from an untrusted source but does not validate the XML against the proper schema.

What CVEs are caused by CWE-112?

7 recorded CVEs are attributed to CWE-112, including CVE-2020-1975, CVE-2023-40310, CVE-2021-1359.

How do you prevent CWE-112?

Always validate XML input against a known XML Schema or DTD.

How is CWE-112 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-112?

Exploiting CWE-112 can lead to: Unexpected State.

Is CWE-112 actively exploited?

7 recorded CVEs are caused by CWE-112; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-112: Missing XML Validation

CVE-2021-27780

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code loads and parses an XML file.

Vulnerable example

java

// Read DOM

The XML file is loaded without validating it against a known XML Schema or DTD.

The following code creates a DocumentBuilder object to be used in building an XML document.

Vulnerable example

java

DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();

The DocumentBuilder object does not validate an XML document against a schema, making it possible to create an invalid XML document.

CWE-112: Missing XML Validation

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-112?

What CVEs are caused by CWE-112?

How do you prevent CWE-112?

How is CWE-112 detected?

What are the consequences of CWE-112?

Is CWE-112 actively exploited?

References

Stay ahead of CWE-112

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-112?

What CVEs are caused by CWE-112?

How do you prevent CWE-112?

How is CWE-112 detected?

What are the consequences of CWE-112?

Is CWE-112 actively exploited?

References

Stay ahead of CWE-112