XML is old, but it's everywhere (SOAP APIs, Sitemap.xml, Docx files). The XML standard includes a feature called "DTD" (Document Type Definition) that allows defining custom entities. If the XML parser is not securely configured, an attacker can define an entity that references a file on the server's hard drive.
The Payload
You send this valid XML to the login endpoint:
<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<user><name>Bob</name><bio>&xxe;</bio></user>
When the server processes &xxe;, it resolves the system path /etc/passwd and pastes the content into the bio. When you view Bob's profile, you see the Linux password file.
1. Why does this exist?
In the 90s, it was useful for XML documents to reference external data.
It was a feature, not a bug.
But in 2025, allowing a parser to fetch external files is insane.
2. Billion Laughs Attack (DoS)
You can also use entities to crash the server (XML Bomb).
Define entity &lol; as "lol".
Define entity &lol2; as ten copies of &lol;.
Define entity &lol3; as ten copies of &lol2;.
...
Define entity &lol9;...
When the parser unpacks &lol9;, it expands exponentially into billions of "lol" strings, consuming all RAM and crashing the CPU.
3. Prevention
The fix is simple: Disable DTD processing in your XML parser configuration.
PHP: libxml_disable_entity_loader(true);
Java: Set disallow-doctype-decl to true.