An insecure XML parsing implementation in Spring Web Services exposes applications to potential XML External Entity (XXE) injection attacks when processing XPath expressions.

The Jaxp13XPathTemplate incorrectly utilizes the JDK's default DocumentBuilderFactory rather than the hardened configuration provided by Spring. This allows attacker-controlled XML inputs via StreamSource or SAXSource to trigger unauthorized external entity processing.

Assessed at a CVSS score of 8.2, this vulnerability is critical for any application processing XML-based inputs. Successful exploitation of an XXE vulnerability can lead to local file disclosure, server-side request forgery (SSRF), and potential denial of service, severely compromising the confidentiality and availability of the underlying server.

Immediate Action: Upgrade to the latest fixed version of Spring Web Services as defined in the vendor advisory to ensure the use of secure, hardened XML parsing configurations.

Proactive Monitoring: Monitor for anomalous outbound network traffic from the application server, which may indicate an attempt to perform SSRF via an XXE injection.

Compensating Controls: Implement a Web Application Firewall (WAF) configured to inspect XML payloads and block requests containing malicious DOCTYPE or ENTITY declarations.

Public Exploit Available: false

XXE vulnerabilities are a classic but dangerous vector for internal system compromise. It is imperative that teams apply the recommended patches to move away from default, insecure XML parsing behaviors toward the hardened configurations provided by the vendor.