Will It Vibe logoWill It Vibe?
JAVA-002Medium severity-8 points

XML parser not hardened against XXE

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

DocumentBuilderFactory is used to parse XML, and no setFeature call anywhere in the file disables DOCTYPE declarations or external entities. With defaults, a crafted XML document can read local files or trigger SSRF. This flags the absence of hardening in the whole file, so a shared helper class defined elsewhere in the project will not be seen; it is a heuristic.

Why it matters

DocumentBuilderFactory parses XML with external entities enabled by default. A crafted document can define an entity that reads a local file or makes the server issue an outbound request (SSRF), and the parser will happily resolve it before your code ever sees the result. This is one of the most common XXE entry points in real Java codebases because the vulnerable default is silent.

How to fix it

Call setFeature to disable DOCTYPE declarations and external entities before parsing: disallow-doctype-decl to true, and external-general-entities / external-parameter-entities to false. If you need a quick, safe default, wrap this in a small shared factory method used everywhere DocumentBuilderFactory is created.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks