DOCX XXE Injection

What is XXE?

XML External Entity (XXE) injection is a vulnerability that targets applications which parse XML input. An attacker can define external entities within a DOCTYPE declaration that cause the XML parser to fetch remote resources, read local files, or perform server-side request forgery (SSRF).

How DOCX XXE Works

DOCX files are ZIP archives containing multiple XML files that define the Word document's structure and content. Key XML files include:

  • [Content_Types].xml — Declares content types for all parts in the package
  • word/document.xml — Contains the main document body (paragraphs, text runs)
  • word/_rels/document.xml.rels — Relationships for the document part
  • _rels/.rels — Package-level relationships

When an application opens a DOCX file, its XML parser processes these embedded XML files. If the parser is not configured to disable external entities, any XXE payload injected into these XML files will be evaluated.

Attack Scenarios

Out-of-Band (OOB) Data Exfiltration

The attacker defines an external entity that contacts a server they control. This confirms the vulnerability exists and can be used to exfiltrate data via DNS or HTTP callbacks.

Local File Read

The attacker defines an entity referencing a local file path (e.g., file:///etc/passwd). When the parser evaluates the entity, the file contents are included in the parsed document and may be reflected back to the attacker.

Server-Side Request Forgery (SSRF)

The attacker defines an entity pointing to an internal service URL (e.g., http://169.254.169.254/latest/meta-data/). The XML parser makes the request from the server's network context, potentially accessing cloud metadata endpoints, internal APIs, or other services not exposed externally.

Defenses This Bypasses

  • File extension allowlisting — DOCX is a legitimate office format
  • MIME type checks — The file has a valid DOCX MIME type
  • Antivirus scanning — XXE payloads are not malware signatures
  • Content-Disposition checks — The file is a valid ZIP/DOCX archive

Defenses That Block This

  • Disabling DTD processing in XML parsers (most effective)
  • Disabling external entity resolution
  • Using SAX/StAX parsers configured to ignore DTDs
  • Input sanitization that strips DOCTYPE declarations before parsing
  • Web Application Firewalls (WAF) with XXE detection rules

Related CVEs

  • CVE-2014-3529 — Apache POI XXE via Office Open XML
  • CVE-2017-5644 — Apache POI XXE vulnerability
  • CVE-2018-1000632 — dom4j XXE vulnerability
  • CVE-2022-23990 — Expat XML parser integer overflow in DTD processing

References