An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.

Not present

1. This type of attack requires that the target must receive input but either fail to provide an upper limit for entity expansion or provide a limit that is so large that it does not preclude significant resource consumption.

1. None: No specialized resources are required to execute this type of attack.

1. The most common example of this type of attack is the "many laughs" attack (sometimes called the 'billion laughs' attack). For example: ]>&lol9; This is well formed and valid XML according to the DTD. Each entity increases the number entities by a factor of 10. The line of XML containing lol9; expands out exponentially to a message with 10^9 entities. A small message of a few KBs in size can easily be expanded into a few GB of memory in the parser. By including 3 more entities similar to the lol9 entity in the above code to the DTD, the program could expand out over a TB as there will now be 10^12 entities. Depending on the robustness of the target machine, this can lead to resource depletion, application crash, or even the execution of arbitrary code through a buffer overflow.
2. This example is similar, but uses YAML. This was used to attack Kubernetes [REF-686] a: &a; ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]b: &b; [a,a,a,a,a,a,a,a,a]c: &c; [b,b,b,b,b,b,b,b,b]d: &d; [c,c,c,c,c,c,c,c,c]e: &e; [d,d,d,d,d,d,d,d,d]f: &f; [e,e,e,e,e,e,e,e,e]g: &g; [f,f,f,f,f,f,f,f,f]h: &h; [g,g,g,g,g,g,g,g,g]i: &i; [h,h,h,h,h,h,h,h,h]