XLSX XXE Injection

What is XXE?

XML External Entity (XXE) injection is a vulnerability that targets applications which parse XML input. An attacker can define external entities within a DOCTYPE declaration that cause the XML parser to fetch remote resources, read local files, or perform server-side request forgery (SSRF).

How XLSX XXE Works

XLSX files are ZIP archives containing multiple XML files that define the spreadsheet's structure and data. Key XML files include:

  • [Content_Types].xml — Declares content types for all parts in the package
  • xl/workbook.xml — Defines the workbook structure (sheets, names)
  • xl/worksheets/sheet1.xml — Contains the actual cell data for sheet 1
  • _rels/.rels — Package-level relationships

When an application opens an XLSX file, its XML parser processes these embedded XML files. If the parser is not configured to disable external entities, any XXE payload injected into these XML files will be evaluated.

Attack Scenarios

Out-of-Band (OOB) Data Exfiltration

The attacker defines an external entity that contacts a server they control. This confirms the vulnerability exists and can be used to exfiltrate data via DNS or HTTP callbacks.

Local File Read

The attacker defines an entity referencing a local file path (e.g., file:///etc/passwd). When the parser evaluates the entity, the file contents are included in the parsed document and may be reflected back to the attacker.

Server-Side Request Forgery (SSRF)

The attacker defines an entity pointing to an internal service URL (e.g., http://169.254.169.254/latest/meta-data/). The XML parser makes the request from the server's network context, potentially accessing cloud metadata endpoints, internal APIs, or other services not exposed externally.

Defenses This Bypasses

  • File extension allowlisting — XLSX is a legitimate office format
  • MIME type checks — The file has a valid XLSX MIME type
  • Antivirus scanning — XXE payloads are not malware signatures
  • Content-Disposition checks — The file is a valid ZIP/XLSX archive

Defenses That Block This

  • Disabling DTD processing in XML parsers (most effective)
  • Disabling external entity resolution (e.g., setFeature("http://apache.org/xml/features/disallow-doctype-decl", true))
  • Using SAX/StAX parsers configured to ignore DTDs
  • Input sanitization that strips DOCTYPE declarations before parsing
  • Web Application Firewalls (WAF) with XXE detection rules

Related CVEs

  • CVE-2014-3529 — Apache POI XXE via XLSX
  • CVE-2017-5644 — Apache POI XXE vulnerability
  • CVE-2017-12626 — Apache POI denial of service via XXE
  • CVE-2018-1000632 — dom4j XXE vulnerability
  • CVE-2019-12415 — Apache POI XXE on XLSX workbook

References