TL;DR overview
- XML External Entity (XXE) vulnerabilities occur when an XML parser processes external entity references in untrusted input, allowing attackers to read server files, perform SSRF, or cause denial of service.
- XXE is a persistent threat because many XML parsers enable external entity processing by default, and developers may not realize their application accepts XML input through indirect channels.
- Mitigation requires disabling external entity and DTD processing in the XML parser configuration—a one-line fix in most languages that eliminates the entire vulnerability class.
- SonarQube detects insecure XML parser configurations through static analysis rules, flagging the issue before it reaches production.
Don't be afraid of XXE vulnerabilities: understand the beast and how to detect them