GHSA-2jx7-xg83-j2m7: Zendframework Denial of Service vector via XEE injection

June 7, 2024

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

References

framework.zend.com/security/advisory/ZF2012-02
github.com/FriendsOfPHP/security-advisories/blob/master/zendframework/zendframework1/ZF2012-02.yaml
github.com/advisories/GHSA-2jx7-xg83-j2m7
github.com/zendframework/zf1

Detect and mitigate GHSA-2jx7-xg83-j2m7 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →