{"id":"GHSA-qpmc-wprv-x746","summary":"Inline DTD allows XML bomb attack","details":"The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elixir allows attackers to cause a denial of service (resource consumption) via an XML entity expansion attack with an inline DTD.","aliases":["CVE-2019-15160"],"modified":"2025-12-10T00:31:54.100217Z","published":"2022-04-12T21:31:26Z","database_specific":{"severity":"HIGH","nvd_published_at":null,"github_reviewed":true,"cwe_ids":["CWE-611","CWE-776"],"github_reviewed_at":"2022-04-12T21:31:26Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15160"},{"type":"WEB","url":"https://github.com/kbrw/sweet_xml/issues/71"},{"type":"PACKAGE","url":"https://github.com/kbrw/sweet_xml"},{"type":"WEB","url":"https://hex.pm/packages/sweet_xml"}],"affected":[{"package":{"name":"sweet_xml","ecosystem":"Hex","purl":"pkg:hex/sweet_xml"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.7.0"}]}],"versions":["0.1.0","0.1.1","0.2.0","0.2.1","0.3.0","0.4.0","0.5.0","0.5.1","0.6.0","0.6.1","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-qpmc-wprv-x746/GHSA-qpmc-wprv-x746.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}