Critical XXE Vulnerability in XML Document Parsing Engine Exposes Internal Files to Unauthenticated Attackers

A critical security flaw in an XML Document Parsing Engine allows unauthenticated attackers to read sensitive files directly from the server. The vulnerability, classified as an XML External Entity (XXE) injection, stems from an insecurely configured parser that processes Document Type Definitions (DTDs) and resolves external entities without restriction. By submitting a specially crafted XML document, an attacker can force the engine to retrieve and embed the contents of local system files—like `/etc/passwd`—or internal network resources into the application's data structures. This flaw carries a CVSS v3.1 score of 9.1, indicating a severe risk of high-impact data exposure.

The vulnerability is located within the Document XML parser component of the affected lab module. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) confirms the attack can be launched over the network with low complexity, requires no privileges or user interaction, and leads to high impacts on both confidentiality and integrity. The core failure is the parser's unrestricted resolution of SYSTEM entities, which transforms a standard document parsing function into a direct conduit for data exfiltration.

Successful exploitation grants attackers a direct read channel into the server's file system, posing a significant data breach risk. The ability to access configuration files, credentials, or other sensitive data could serve as a critical initial foothold for further network penetration. This type of vulnerability is a classic yet dangerous attack vector that underscores the persistent risks in legacy or misconfigured XML processing libraries, demanding immediate remediation to prevent unauthorized access to internal assets.