AIKIDO-2026-326865
ultimate-sitemap-parser is vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
75
High Risk
This Affects:
ultimate-sitemap-parserTL;DR
XMLSitemapParser in ultimate-sitemap-parser 1.8.0 and earlier parses untrusted XML with Python’s Expat parser without blocking DTDs or recursive entity expansion, making it vulnerable to XML Entity Expansion ("Billion Laughs") denial of service. A malicious sitemap can trigger exponential expansion of nested entities, leading to excessive CPU and memory consumption and causing the process to hang or crash. The issue is exploitable by default through public-facing parsing paths such as sitemap_tree_for_homepage() and sitemap_from_str(), with no authentication, user interaction, or special configuration required. An attacker could exploit this by hosting or supplying a crafted sitemap XML payload that, when fetched or parsed by the application, forces the parser into runaway expansion and renders the service unavailable.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
ultimate-sitemap-parser is vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') in versions 0.0.1 - 1.8.0.
How to fix this
Upgrade the ultimate-sitemap-parser library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant