CVE-2018-25282
XML Entity Expansion DoS in Nmap 7.70 ZenMap Import
Publication date: 2026-04-26
Last updated on: 2026-04-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| insecure | xml | 7.70 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Nmap 7.70 and is a denial of service issue. It allows local attackers to crash the application by processing malicious XML files that contain exponential entity expansion. Specifically, attackers can craft an XML file with nested entity definitions and open it using ZenMap's scan import functionality, causing the program to consume excessive system resources and ultimately crash.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service condition. By exploiting the vulnerability, an attacker can cause the Nmap application to crash, leading to a loss of availability. This can disrupt normal operations that rely on Nmap or ZenMap for network scanning and analysis.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid opening or importing untrusted or malicious XML files with ZenMap's scan import functionality, as these files can contain crafted nested entity definitions that cause excessive resource consumption and crash the application.
Additionally, consider updating Nmap to a version that addresses this vulnerability once available, or restrict local access to the application to trusted users only.