# 400 Bad Request: XML parse error - entity expansion limit exceeded - **ID:** `api/xml-parse-error-entity-expansion` - **Domain:** api - **Category:** data_error - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause The XML request body contains deeply nested or numerous entity references that exceed the parser's entity expansion limit (e.g., billion laughs attack protection). ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Java Xerces 2.12+ | active | — | — | | Python defusedxml 0.7+ | active | — | — | | libxml2 2.9+ | active | — | — | | Spring Boot 3.x | active | — | — | ## Workarounds 1. **Validate and sanitize XML input before parsing. Example using Python defusedxml: from defusedxml import ElementTree import io # This parser will raise an exception on entity expansion attacks try: tree = ElementTree.parse(io.StringIO(xml_string)) except EntitiesForbidden: print('Entity expansion attack detected')** (90% success) ``` Validate and sanitize XML input before parsing. Example using Python defusedxml: from defusedxml import ElementTree import io # This parser will raise an exception on entity expansion attacks try: tree = ElementTree.parse(io.StringIO(xml_string)) except EntitiesForbidden: print('Entity expansion attack detected') ``` 2. **Use a JSON or other non-XML format for the API if XML entity expansion is not required.** (85% success) ``` Use a JSON or other non-XML format for the API if XML entity expansion is not required. ``` 3. **Implement a custom input filter to reject XML with excessive entity declarations before parsing.** (80% success) ``` Implement a custom input filter to reject XML with excessive entity declarations before parsing. ``` ## Dead Ends - **** — This may make the application vulnerable to denial-of-service attacks; also, the error may still occur if the input is malicious. (60% fail) - **** — Most secure parsers have similar limits; the underlying issue is the input data, not the parser. (50% fail) - **** — This removes security protections and may allow injection attacks, without fixing the entity expansion problem. (80% fail)