CWE-91 XML/XPath Injection

What this means

SiteShadow flagged an XPath expression that is being built using untrusted input. XPath is like "SQL for XML"; if you concatenate strings, attackers can change the query logic.

Why it matters

XPath injection can expose or modify XML data.

Data exposure: attackers can query unexpected nodes/attributes.
Auth bypass if XML-backed auth/ACL checks rely on injectable XPath.
Integrity issues if the injected expression controls updates or selections.

Safer examples

1) Use XPath variables / parameterization when supported (Python + lxml)

from lxml import etree

doc = etree.fromstring(xml_bytes)
user_id = user_input  # still validate/allowlist expected format
nodes = doc.xpath("//user[@id=$id]", id=user_id)

2) Allowlist selectors instead of accepting raw XPath

If users are choosing "which field to search," map that choice to a known safe XPath snippet.

3) Prefer structured parsing over XPath for security decisions

For auth/ACL decisions, parse and compare explicit fields rather than evaluating user-influenced XPath.

How SiteShadow detects it (high level)

Detects XPath evaluation APIs and checks whether the expression is derived from untrusted input.
Flags cases where the XPath result gates auth/data access.

References

CWE-91: https://cwe.mitre.org/data/definitions/91.html

---

← Back to Vulnerability Library

Request access View coverage