Minimize Entity Expansion Threshold for GlideXMLUtil Scriptable [Updated in Security Center 1.3, 1.5, and 2.0]

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • Use the glide.xmlutil.max_entity_expansion property to change the maximum entity expansion limit to a smaller number.

    This property controls the maximum amount of entity expansion within an XML Parser. If glide.xmlutil.max_entity_expansion is not set to the recommended value of 3000 or less, then the GlideXMLUtil parsing scriptable may be vulnerable to denial of service attacks.

    Ensure the property glide.xmlutil.max_entity_expansion is set to 3000 or less. If the instance is on Washington or later, the default implied value is 3000 if the sys_properties record does not exist. If the instance is not on Washington or later, the recommendaiton is for the instance admin to create a sys_properties record with name glide.xmlutil.max_entity_expansion and the value 3000.

    Remarque :
    500 is the default minimum imposed by the ServiceNow AI Platform, which is considered to be a safe threshold.

    More information

    Attribute Description
    Property name glide.xmlutil.max_entity_expansion
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose This remediation control must be enabled to defend against XML Entity Expansion/Billion Laugh attack.
    Recommended value 3000
    Default value 100000
    Security risk rating 5.3
    Functional impactIf the customization is using large entity expansion, then, the ServiceNow AI Platform might block further processing.
    Security risk (Moderate) An attacker can use this vulnerability to expand data exponentially, quickly consuming all system resources.

    To learn more about adding or creating a system property, see Add a system property.