CWE-776β€”Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

PUBLISHEDweakness recordMedium
released 2009-07-27 Β· last modified 2025-12-11

Metadata

CWE ID:
CWE-776
Abstraction:
Base
Structure:
Simple
Status:
Draft
Release Date:
2009-07-27
Latest Modification Date:
2025-12-11

Weakness Name

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Description

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Common Consequences

Scope:
Availability
Impact:
DoS: Resource Consumption (Other)
Notes:
If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

Related Weaknesses

Related Alerts