Improper Control of Document Type Definition
This vulnerability occurs when an application fails to properly restrict which Document Type Definitions (DTDs) can be referenced during XML parsing. Attackers can exploit this by injecting references to malicious DTDs, potentially leading to unauthorized file access, server-side request forgery (SSRF), or denial-of-service through resource exhaustion.
When an XML parser processes a DTD, it may automatically retrieve and execute external resources or read local files specified within that DTD. If an attacker controls the DTD reference, they can point the parser to sensitive system files, internal network endpoints, or malicious payloads, effectively using the application's parsing functionality as an attack vector. This is why many modern web standards explicitly forbid DTDs in certain contexts—for instance, the SOAP specification prohibits DTDs within messages. To prevent this, developers must either disable external DTD processing entirely in their XML parser configuration or implement strict allowlists that restrict DTD sources to trusted, intended locations only.
Impact: Read Files or Directories
If the attacker is able to include a crafted DTD and a default entity resolver is enabled, the attacker may be able to access arbitrary files on the system.
Impact: DoS: Resource Consumption (CPU)DoS: Resource Consumption (Memory)
The DTD may cause the parser to consume excessive CPU cycles or memory using techniques such as nested or recursive entity references (Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')).
Impact: Execute Unauthorized Code or CommandsGain Privileges or Assume Identity
The DTD may include arbitrary HTTP requests that the server may execute. This could lead to other attacks leveraging the server's trust relationship with other entities.