XML entity expansion exploits a capability of XML document type definitions that allows the creation of custom macros, called entities. By recursively defining a set of custom entities at the top of a document, an attacker can overwhelm parsers that attempt to completely resolve these entities, resulting in a denial-of-service condition.
The XML entity expansion attack requires that the target must receive XML input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption. An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML.
XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory, where a small number of nested expansions can result in an exponential growth in demands on memory.