XXE injection in PMML4S parser via malicious .pmml model file
Target: autodeployai/pmml4s (Scala) / pypmml (Python wrapper)
Version: 1.5.8 (latest)
Type: CWE-611 — XML External Entity (XXE)
Vulnerability
The PMML4S XML parser uses XMLInputFactory.newFactory() without disabling external entity resolution. A crafted .pmml file triggers XXE when loaded via pypmml.Model.fromFile() or fromString().
Root cause: pull.scala#L90-L99
PoC Files
| File | Impact |
|---|---|
1_file_read_etc_passwd.pmml |
Reads /etc/passwd via file:/// entity |
2_ssrf_http_request.pmml |
Sends HTTP request to attacker server via http:// entity |
3_dos_billion_laughs.pmml |
Exponential entity expansion (memory exhaustion) |
Reproduce
pip install pypmml==1.5.8
python reproduce.py
Requires Java 8+ (OpenJDK recommended).
Expected Output
[+] VULNERABLE — /etc/passwd was read by the XML parser
[+] SSRF RECEIVED: GET /SSRF_CONFIRMED from 127.0.0.1
[+] VULNERABLE — XML bomb loaded, entities expanded
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support