# XML External Entity (XXE) Injection

- ID: javascript-xxe
- Severity: HIGH
- CWE: XXE (CWE-611)
- Languages: JavaScript, TypeScript
- Frameworks: express, fastify

## Description

Detects unsafe XML parsing that could allow XML External Entity (XXE) attacks.
XXE can lead to file disclosure, SSRF, denial of service, and other attacks.

## Detection Message

Untrusted XML input from {source} is parsed at {sink} without proper security controls.
This can lead to XML External Entity (XXE) attacks.

## Remediation

Disable external entity processing or use JSON instead of XML.

```javascript
const { XMLParser } = require('fast-xml-parser');
const parser = new XMLParser({ processEntities: false });
const result = parser.parse(xmlData);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-611/xxe

## Documentation

[object Object]

## Related Rules

- **XML External Entity (XXE) Injection** [HIGH]: 
- **XML External Entity (XXE) Injection** [HIGH]: