CWE•Base•Draft•4 recent CVEs

CWE-776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Description

The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.

If the DTD contains a large number of nested or recursive entities, this can lead to explosive growth of data when parsed, causing a denial of service.

Common consequences

Availability→DoS: Resource Consumption (Other)
If parsed, recursive entity references allow the attacker to expand data exponentially, quickly consuming all system resources.

Potential mitigations

Operation
If possible, prohibit the use of DTDs or use an XML parser that limits the expansion of recursive DTD entities.
Implementation
Before parsing XML files with associated DTDs, scan for recursive entity declarations and do not continue parsing potentially explosive content.

Recent CVEs classified under this CWE

CVE-2026-238225.32026-05-12 CVE-2026-312487.52026-05-11 CVE-2026-422122026-05-08 CVE-2017-56445.52017-03-24

Description

Common consequences

Potential mitigations

Related CWEs

Recent CVEs classified under this CWE