Will It Vibe logoWill It Vibe?
CSHARP-014High severity-15 points

XML DTD processing explicitly enabled

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

DtdProcessing.Parse is set on an XmlReaderSettings/XmlTextReader, explicitly re-enabling DTD parsing. An XML parser that resolves external DTDs/entities on untrusted input is vulnerable to XXE: local file disclosure, SSRF, or denial of service via entity expansion.

Why it matters

Setting DtdProcessing.Parse explicitly re-enables DTD parsing in an XML reader. If that reader ever processes XML from outside your own trusted sources, a crafted document can define external entities that read local files, make outbound network requests (SSRF), or exhaust memory/CPU through entity expansion. This class of bug (XXE) has led to real file-disclosure and internal-network-scanning vulnerabilities in many languages, not just .NET.

How to fix it

Remove the explicit DtdProcessing.Parse setting; current .NET XmlReaderSettings default to DtdProcessing.Prohibit, which is the safe choice for untrusted input. If the application genuinely needs to parse DTDs from a trusted, fixed source, set XmlResolver to null (or a resolver restricted to known-safe local files) so external entity resolution cannot reach the network or arbitrary files.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks