<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Lxml - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/lxml/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/lxml/feed.xml" rel="self" type="application/rss+xml"/><item><title>lxml Library Vulnerable to XXE Attacks via iterparse() and ETCompatXMLParser()</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-lxml-xxe/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-lxml-xxe/</guid><description>lxml versions before 6.1.0 are vulnerable to XML External Entity (XXE) attacks when using iterparse() or ETCompatXMLParser() with default settings, potentially allowing local file reads.</description><content:encoded><![CDATA[<p>The lxml library, a widely used XML and HTML processing library for Python, is vulnerable to XML External Entity (XXE) injection attacks in versions prior to 6.1.0. This vulnerability specifically affects the <code>iterparse()</code> and <code>ETCompatXMLParser()</code> functions when used with their default configuration, where <code>resolve_entities</code> is set to <code>True</code>. This default setting allows an attacker to supply a specially crafted XML document that can force the parser to read arbitrary local files. This vulnerability was addressed in lxml 6.1.0 by changing the default <code>resolve_entities</code> setting to <code>'internal'</code>, mitigating the risk of local file access. The original report can be found at <a href="https://bugs.launchpad.net/lxml/+bug/2146291">https://bugs.launchpad.net/lxml/+bug/2146291</a>. This vulnerability is identified as CVE-2026-41066.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious XML document containing an external entity declaration. This declaration points to a local file path.</li>
<li>The attacker submits the crafted XML document to an application that uses the vulnerable <code>lxml.iterparse()</code> or <code>lxml.ETCompatXMLParser()</code> function.</li>
<li>The vulnerable lxml parser, configured with default settings (<code>resolve_entities=True</code>), attempts to resolve the external entity.</li>
<li>The parser reads the contents of the local file specified in the external entity declaration.</li>
<li>The application processes the parsed XML data, including the content of the local file.</li>
<li>The application may then display the file contents to the attacker or use it in further processing.</li>
<li>If the application is running with elevated privileges, the attacker might be able to read sensitive system files.</li>
<li>Successful exploitation can lead to information disclosure and potentially further compromise of the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this XXE vulnerability can lead to the disclosure of sensitive information stored on the server's local file system. This could include configuration files, application source code, or even sensitive data. The number of potential victims is dependent on the prevalence of vulnerable lxml library versions (&lt; 6.1.0) in applications that process untrusted XML input using <code>iterparse()</code> or <code>ETCompatXMLParser()</code> with default settings. The sectors impacted are broad, as lxml is a general-purpose library used in a wide variety of applications.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the lxml library to version 6.1.0 or later to patch CVE-2026-41066.</li>
<li>Explicitly set the <code>resolve_entities</code> option to <code>'internal'</code> or <code>False</code> when using <code>lxml.iterparse()</code> or <code>lxml.ETCompatXMLParser()</code> to disable local file access, as described in the advisory.</li>
<li>Deploy the Sigma rule <code>Detect lxml XXE via iterparse or ETCompatXMLParser</code> to identify potential XXE attacks targeting vulnerable lxml versions.</li>
<li>Review application code that uses lxml to ensure proper handling of XML input and prevent the processing of untrusted external entities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>lxml</category><category>XXE</category><category>vulnerability</category><category>CVE-2026-41066</category></item></channel></rss>