Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.xxe

Disable external entities on Java XML parsers

`DocumentBuilderFactory`, `SAXParserFactory`, and `TransformerFactory` instances should enable secure processing and disable external entities before they parse untrusted XML.

#Metadata

Rule ID
java.security.xxe-document-builder
Severity
high
Confidence
0.85
Languages
java
Presets
security, strict
Stability
stable
Applies to
block
Tags
java, rules-catalog, security, xml, xxe

#Why it matters

Java XML parser factories default to processing external DTDs and entities; without explicit hardening they expose XXE that can exfiltrate files or perform server-side requests.

#Remediation

Call `setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` and disable `disallow-doctype-decl`, `external-general-entities`, and `external-parameter-entities` before parsing untrusted XML.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.xxe-document-builder.rule.yaml.

Back to directoryOpen rule in repository