Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

    This documentation addresses how ServiceNow customers can secure their platform against XML External Entity (XXE) attacks by managing entity expansion during XML parsing in the XMLDocument2 (XMLdoc2) streaming parser. The guidance focuses on system properties that control entity resolution and expansion, enabling customers to prevent resource exhaustion caused by malicious XML inputs.

    Show full answer Show less

    Key Features

    • Entity Expansion Control: Use the glide.xmlutil.maxentityexpansion property to completely disable external entity expansion when customizations do not require it. This allows XML parsing to complete without processing any internal or external entities.
    • Entity Resolution Settings: The glide.stax.allowentityresolution property controls whether external entities are resolved or expanded. Setting it to false blocks all entity resolution and expansion, while true allows resolution subject to whitelist restrictions.
    • Whitelist Enforcement: The glide.stax.whitelistenabled property must be set to true to enable an allowlist of safe domains defined in the glide.xml.entity.whitelist property. Only URLs in this whitelist can be accessed during XML entity processing.
    • Safe Harbor Property: The glide.stax.whitelistenabled property is a safe harbor property—once enabled, its value cannot be changed or reverted, ensuring consistent security enforcement.

    Key Outcomes

    • Enhanced Security: Enabling these properties mitigates the risk of XXE attacks, which can exponentially expand data and exhaust system resources, rated with a high security risk of 9.8.
    • Controlled XML Parsing: Customers can safely allow entity expansion only when necessary and restrict it to trusted domains, preventing unauthorized or malicious external entity access.
    • Customization Impact: Customers using entity expansion in customizations should carefully enable the whitelist and define allowed URLs; otherwise, entity expansion is blocked to maintain security.
    • Non-revertible Configuration: Since the whitelist enablement is non-revertible, customers must plan and test before applying these changes in production environments.

    Practical Guidance

    • Before enabling entity resolution, set glide.stax.whitelistenabled and glide.xml.entity.whitelist.enabled to true.
    • Define a comma-separated list of fully qualified domain names (FQDNs) in glide.xml.entity.whitelist to restrict external entity processing to trusted URLs.
    • If entity expansion is not required, disable it entirely using glide.xmlutil.maxentityexpansion or set glide.stax.allowentityresolution to false.
    • Follow documented procedures for adding or modifying system properties to implement these settings safely.

    If customizations do not require entity expansion, use the glide.xmlutil.max_entity_expansion property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

    If the glide property glide.stax.whitelist_enabled doesn't exist in the System Properties [sys_properties] table, or is not set to the recommended value of true, then all external entities are allowed when the glide property glide.stax.allow_entity_resolution is set to the value of true.

    If customizations don't require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

    When glide.stax.whitelist_enabled is set to true, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using the XML entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0]. Attackers can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.

    Prerequisites

    Before setting this property:
    Warning:
    This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

    More information

    Attribute Description
    Property name glide.stax.whitelist_enabled
    Configuration type System Properties (/sys_properties_list.do)
    Category Validation, sanitization, and encoding
    Purpose This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack.
    Recommended value true
    Default value false
    Security risk rating 9.8
    Functional impact If the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing.
    Security risk An attacker can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.
    Workaround If the customization requires entity expansion, set this property to true and follow the steps documented in Restrict XML external entities [Updated in Security Center 1.3 and 2.0].

    To learn more about adding or creating a system property, see Add a system property.

    For more information about OWASp resources, see OWASp.