XXE in Logisim 2.7.1 and forks

Tags: security

Logisim 2.7.1 and all forks are vulnerable to an XML External Entity attack through a maliciously constructed circuit file. Example exploits of XXE are available on OWASP, and work with minor modification to fit the format of the Logisim circuit files.


The official Logisim is no longer maintained, according to its website. As such, no attempt was made to notify the original maintainer. However, various forks of Logisim are maintained, and all were vulnerable to this issue. We notified the maintainers of the most common fork (Logisim Evolution) and the issue was fixed in version 2.14.4 (all prior versions are vulnerable).

Posted on 2018-12-24