Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

Release version:
Yokohama
Xanadu
Washington DC
Vancouver
UpdatedMay 29, 2025
2 minutes to read

Yokohama
Platform Security

Require XMLdoc2 entity validation with allowlistDisable entity expansion [Updated in Security Center 1.3]

If customizations do not require entity expansion, use the glide.xmlutil.max_entity_expansion property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

If the glide property glide.stax.whitelist_enabled doesn't exist in the System Properties [sys_properties] table, or is not set to the recommended value of true, then all external entities are allowed when the glide property glide.stax.allow_entity_resolution is set to the value of true.

If customizations don't require entity expansion, use the glide.stax.allow_entity_resolution property to completely disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

If you set glide.stax.allow_entity_resolution to true, all external entities attempt to resolve or expand subject entities, subject to the setting of the glide.stax.whitelist_enabled property.
If you set glide.stax.allow_entity_resolution to false, all entity resolution and expansion is blocked. To learn more about this property, see Disable Entity Expansion within the XMLDocument2 Streaming Parser [Updated in Security Center 1.5].

When glide.stax.whitelist_enabled is set to true, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using the XML entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0]. Attackers can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.

Prerequisites

Before setting this property:

Set the glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled properties to true. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0].
Define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which is the only URLs that can be reached using XML Entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0].

Warning: This is a safe harbor property, meaning the value can't be altered once it's changed. It is non-revertible.

More information

Search:


Attribute	Description
Property name	glide.stax.whitelist_enabled
Configuration type	System Properties (/sys_properties_list.do)
Category	Validation, sanitization, and encoding
Purpose	This remediation control must be enabled to defend against an XML Entity Expansion/Billion Laugh attack.
Recommended value	true
Default value	false
Security risk rating	9.8
Functional impact	If the customization is using entity expansion, then, the ServiceNow AI Platform might block further processing.
Security risk	An attacker can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.
Workaround	If the customization requires entity expansion, set this property to true and follow the steps documented in Restrict XML external entities [Updated in Security Center 1.3 and 2.0].

To learn more about adding or creating a system property, see Add a system property.

For more information about OWASp resources, see OWASp.

Yokohama Platform security

Filters

Versions

Products