Security Advisory

ZF2012-02: Denial of Service vector via XEE injection

Zend_Dom, Zend_Feed, Zend_Soap, and Zend_XmlRpc are vulnerable to XML Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE attacks occur when the XML DOCTYPE declaration includes XML entity definitions that contain either recursive or circular references; this leads to CPU and memory consumption, making Denial of Service exploits trivial to implement.

Action Taken

All locations where SimpleXML or DOMDocument were used with user input were patched. The patches mitigate the XEE vector by first calling libxml_disable_entity_loader(), and then looping through the DOMDocument children, testing if any are of type XML_DOCUMENT_TYPE_NODE; if so, an exception is raised and execution is halted.

Where SimpleXML is used, the XML is loaded first via DOMDocument and scanned as noted above; once validated, the DOMDocument instance is passed to simplexml_import_dom().

This patch has been applied starting in versions 1.11.13 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and first released with 2.0.0rc4).


If you are using either Zend_Dom, Zend_Feed, Zend_Soap or Zend_XmlRpc in your projects, we recommend immediately upgrading to 1.11.13 or greater.

Other Information


The Zend Framework team thanks the following for working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.


Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

Released Mon, 20 August 2012 14:00:00 -0500.

back to advisories