XML External Entity vector

Publication Date2023-08-11
TypeCross-Site Request Forgery
Affected PHP Versions
  • 7.2.0 - 7.2.34
  • 7.3.0 - 7.3.33
  • 7.4.0 - 7.4.33
  • 8.0.0 - 8.0.29
  • 8.1.0 - 8.1.21
  • 8.2.0 - 8.2.8
Fixed Product Versions
  • ZendPHP 7.2
  • ZendPHP 7.3
  • ZendPHP 7.4
  • ZendPHP 8.0
  • ZendPHP 8.1
  • ZendPHP 8.2
  • ZendServer 2019.1.4
  • ZendServer 2021.3.2

CVE Details

PHP's various XML functions rely on libxml global state to track configuration variables, including whether external entities are loaded. Any given request can change that state, and those changes then persist as long as the process continues running. Because of this, when other modules, such as ImageMagick, use the library in the same process, they can potentially change that state for their own purposes, affecting any other usage of libxml within the process (e.g. for processing XML via the DOM functionality). If they were to enable external entities, but the application assumes that external entity loading is disabled, this can lead to an XML eXternal Entity (XXE) vector, which could potentially disclose file accessibility and/or contents from the local filesystem.


If you use any XML functionality in PHP, we highly recommend upgrading your PHP version to one that has been patched.

If you cannot update immediately, we recommend disabling external entity loading immediately prior to operations that would parse XML (e.g. using DOMDocument::load(), DOMDocument::loadXML(), XMLReader::open(), simplexml_load_file(), etc.). You can do this via the following: libxml_set_external_entity_loader(null).