SolidCAM Postprocessor IDE XML External Entity Vulnerability in VMID Parser

A vulnerability exists in the SolidCAM Postprocessor IDE extension for Visual Studio Code, specifically in versions 1.0.0 prior to 1.0.2. The issue arises when a .gpp file is opened, prompting the language server to parse a related .vmid file from the same directory. The VMID parser, in these vulnerable versions, used XDocument.Load without proper XmlReaderSettings, allowing for XML External Entity (XXE) attacks. A malicious .vmid file could exploit this by disclosing local files through external entity references, causing a denial-of-service by exhausting memory with recursive entity expansion, or disrupting service with oversized or deeply nested XML. This vulnerability is particularly concerning as it can be triggered by simply opening a .gpp file from an untrusted source, such as forums or shared drives.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local files, memory exhaustion causing the process to run out of resources, and denial-of-service by causing the application to become unresponsive.

Reproduction

To reproduce this vulnerability, open a .gpp file in the SolidCAM Postprocessor IDE extension version 1.0.0 or 1.0.1. The extension will automatically parse the accompanying .vmid file from the same directory. If the .vmid file contains malicious XML entities, the vulnerability will be exploited, leading to file disclosure or memory exhaustion.

Remediation

Users should upgrade to SolidCAM Postprocessor IDE version 1.0.2 or later, which addresses this vulnerability by disabling DTD processing, preventing external entity references, and adding a file size cap. Instructions for updating can be found on the GitHub Releases page for this extension.