What is XML External Entity?

A vulnerability in applications that parse XML input with a misconfigured parser that allows the processing of external entity references embedded in the document. XXE attacks can read arbitrary files from the server filesystem, trigger server-side request forgery, enumerate internal network services, and in some cases achieve remote code execution via error-based exfiltration. XXE is prevented by disabling external entity processing in XML parsers and using safer serialization formats such as JSON where XML is not required.

Related terms