CWE-112 Missing XML Validation

What this means

SiteShadow flagged XML parsing without validation/constraints. XML inputs can be malformed, oversized, or crafted to trigger dangerous parser features if not handled carefully.

Why it matters

Unvalidated XML can allow XXE or malformed inputs.

XXE / SSRF / file disclosure if unsafe XML features are enabled (see CWE-611).
DoS via oversized or deeply nested XML (resource exhaustion).
Logic bypass when the XML shape is assumed but not enforced.

Safer examples

1) Use safe XML parsing defaults

Disable DTD/external entity resolution and enforce size limits (see CWE-611).

2) Validate against an XML schema when applicable (XSD)

from lxml import etree

xml_doc = etree.fromstring(xml_bytes)
schema = etree.XMLSchema(etree.parse("schema.xsd"))
schema.assertValid(xml_doc)

3) Prefer simpler formats when possible

If you control both sides, JSON + schema validation can reduce XML-specific risk.

How SiteShadow detects it (high level)

Detects XML parsing entry points and flags missing schema/structural validation and unsafe parser options.
Prioritizes XML used in auth, config, or network-facing endpoints.

References

CWE-112: https://cwe.mitre.org/data/definitions/112.html

---

← Back to Vulnerability Library

Request access View coverage