Rule Information
Tags
pythonxmlrpcxxexml-rpcremote-procedure-callCWE-611OWASP-A05
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset python/PYTHON-LANG-SEC-092 --project .1
2
3
4
5
6
7
8
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
Python's xmlrpc module implements the XML-RPC protocol for remote procedure calls. XML-RPC uses XML as its encoding format, and the parser used by xmlrpc.server and xmlrpc.client is vulnerable to XXE attacks when processing malicious XML-RPC payloads.
An attacker who can send XML-RPC requests to a server can craft payloads with external entity references that read local files or make network requests. On the client side, a malicious XML-RPC server can send responses with XXE payloads that read files on the client system.
defusedxml.xmlrpc monkey-patches the xmlrpc module to use safe XML parsing, preventing XXE attacks. For new implementations, REST over HTTPS is a more secure alternative to XML-RPC.
Security Implications
Potential attack scenarios if this vulnerability is exploited
1
Server-Side File Disclosure via XML-RPC XXE
A client sending a malicious XML-RPC request with XXE entities can cause the server to read local files (configuration files, credentials, SSH keys) and include their contents in error responses or method parameters.
2
SSRF via XML-RPC Client
When an XML-RPC client receives a malicious response from a compromised or malicious server, XXE entities in the response can cause the client to make HTTP requests to internal network resources or cloud metadata endpoints.
3
XML-RPC Server DoS via DTD
Billion Laughs attacks via XML-RPC requests can exhaust server memory and CPU resources, causing denial of service for legitimate users.
4
Blind XXE via XML-RPC Fault Responses
XML-RPC fault responses can contain XXE payloads. Blind XXE via out-of-band DNS or HTTP callbacks to attacker-controlled servers can exfiltrate data even when fault content is not directly returned to the attacker.
How to Fix
Recommended remediation steps
- 1Call defusedxml.xmlrpc.monkey_patch() before using any xmlrpc module to patch the XML parser to prevent XXE.
- 2For new implementations, migrate from XML-RPC to REST over HTTPS for a more secure, modern, and widely supported API protocol.
- 3Use HTTPS instead of HTTP for all XML-RPC endpoints to protect credentials and data in transit.
- 4Implement authentication and authorization on XML-RPC endpoints; the protocol itself provides no access control.
- 5Validate and restrict XML-RPC method names and parameters to an explicit allowlist to prevent exploitation of server-side methods.
Detection Scope
How Code Pathfinder analyzes your code for this vulnerability
This rule detects usage of xmlrpc.client.ServerProxy(), xmlrpc.server.SimpleXMLRPCServer(), and xmlrpc.server.MultiPathXMLRPCServer() without prior application of defusedxml.xmlrpc.monkey_patch(). All xmlrpc usage is flagged for review.
Compliance & Standards
Industry frameworks and regulations that require detection of this vulnerability
OWASP Top 10
A05:2021 - Security Misconfiguration (XXE)
CWE Top 25
CWE-611 - Improper Restriction of XML External Entity Reference
NIST SP 800-53
SI-10: Information Input Validation
PCI DSS v4.0
Requirement 6.2.4 - Protect against injection attacks including XXE
References
External resources and documentation
Similar Rules
Explore related security rules for Python
MEDIUM
Insecure XML Parsing (XXE Vulnerability)
xml.etree.ElementTree is vulnerable to XML External Entity (XXE) attacks. Use defusedxml for safe XML parsing.
MEDIUM
Insecure xml.dom.minidom Usage (XXE)
xml.dom.minidom is vulnerable to XML External Entity (XXE) attacks. Use defusedxml.minidom for safe XML parsing.
Frequently Asked Questions
Common questions about Insecure xmlrpc Usage (XXE Risk)
monkey_patch() replaces the XML parser used internally by xmlrpc.client and
xmlrpc.server with defusedxml's safe parser. After calling monkey_patch(), all
XML-RPC parsing is done through defusedxml, blocking XXE, Billion Laughs, and
other XML attacks. Call it once at application startup before any xmlrpc imports.
XML-RPC is a legacy protocol designed in the late 1990s. Modern alternatives (REST
over HTTPS with JSON, gRPC, GraphQL) are more secure, performant, and widely
supported. If you must maintain XML-RPC for backward compatibility, apply defusedxml
patching and consider providing a REST alternative for new integrations.
Yes. Using HTTPS for XML-RPC protects data in transit and authenticates the server,
but it does not prevent XXE in the XML payload itself. An attacker who has valid
access to the XML-RPC endpoint (or compromises the HTTPS connection) can still send
malicious XML-RPC payloads. defusedxml is needed regardless of transport security.
Yes. Multiple CVEs have been reported for XML-RPC implementations across various
programming languages and Python versions. The Python standard library's xmlrpc
module's XXE vulnerability is documented and the defusedxml library was created
specifically to address it along with other XML security issues in Python.
No. XXE can occur in both request parsing (server-side) and response parsing
(client-side). A malicious or compromised XML-RPC server can send responses with
XXE payloads that cause the client's parser to read local files. Apply defusedxml
patching for both client and server usage.
Apply defusedxml.xmlrpc.monkey_patch() and use HTTPS with mutual TLS for internal
communication. Restrict access to the XML-RPC endpoint to authorized services via
network policies. However, REST over HTTPS with JSON is strongly preferred for new
microservice APIs due to better tooling, documentation, and security support.
New feature
Get these findings posted directly on your GitHub pull requests
The Insecure xmlrpc Usage (XXE Risk) rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.