CWE-112 Missing XML Validation
Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 2Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged XML parsing without validation/constraints. XML inputs can be malformed, oversized, or crafted to trigger dangerous parser features if not handled carefully.
Why it matters
Unvalidated XML can allow XXE or malformed inputs.
- XXE / SSRF / file disclosure if unsafe XML features are enabled (see
CWE-611). - DoS via oversized or deeply nested XML (resource exhaustion).
- Logic bypass when the XML shape is assumed but not enforced.
Safer examples
1) Use safe XML parsing defaults
Disable DTD/external entity resolution and enforce size limits (see CWE-611).
2) Validate against an XML schema when applicable (XSD)
from lxml import etree
xml_doc = etree.fromstring(xml_bytes)
schema = etree.XMLSchema(etree.parse("schema.xsd"))
schema.assertValid(xml_doc)
3) Prefer simpler formats when possible
If you control both sides, JSON + schema validation can reduce XML-specific risk.
How SiteShadow detects it (high level)
- Detects XML parsing entry points and flags missing schema/structural validation and unsafe parser options.
- Prioritizes XML used in auth, config, or network-facing endpoints.
References
- CWE-112: https://cwe.mitre.org/data/definitions/112.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.