Expected Findings
- XML parser resolves external entities by default.
- `file://` entities return the contents of local files.
- Returned SVG embeds the leaked content in `<text>` nodes.
SVG Renderer
XXE in SVG
The avatar SVG processor parses external entities, so an uploaded SVG can read local files and surface them in the rendered preview.
CWE-611
Avatar parse
Primary Flows
- Parse endpoint POST SVG/XML, entities resolved
- Renderer config Shows DTD + entity flags on
Signals
Parser
parser.SetFlag("resolve-external-entities", true)