Back to Glossary

Glossary Term

XML External Entity (XXE)

An XML parsing flaw where external entities are resolved, letting attackers read files or issue internal requests.

1 min read

Share this definition

Post it to your feed or send it to teammates.

What it is

XML External Entity (XXE) vulnerabilities occur when XML parsers process untrusted input that references external entities�files or network resources outside the intended data. Attackers can craft XML payloads that trick the parser into retrieving sensitive files such as /etc/passwd or contacting malicious servers.

XXE commonly affects legacy or misconfigured XML libraries that do not disable external entity resolution. Variants like blind XXE exfiltrate data indirectly through DNS lookups or timing responses.

Why it matters

XXE can lead to data breaches, denial of service, or server-side request forgery. In cloud environments, it can also reveal metadata from internal APIs.

How to reduce risk

  • Disable external entity processing in XML parsers.
  • Use modern formats like JSON when possible.
  • Sanitize XML input and validate schemas strictly.
  • Employ static analysis tools to detect XXE vulnerabilities.
  • Keep third-party XML libraries updated.