CVE-2026-42212: SolidCAM-GPPL-IDE XXE Vulnerability

CVE-2026-42212 Overview

CVE-2026-42212 is an XML External Entity (XXE) vulnerability in SolidCAM-GPPL-IDE, an unofficial Postprocessor IDE extension for SolidCAM. The flaw affects versions 1.0.0 through versions prior to 1.0.2. Opening a .gpp file in the extension triggers the language server to parse a companion .vmid file from the same directory. The VMID parser calls XDocument.Load(path) without supplying XmlReaderSettings, inheriting .NET 8 defaults that permit Document Type Definition (DTD) processing. A crafted .vmid file can disclose local files via external entity references, exhaust memory through recursive entity expansion, and trigger denial of service via oversized or deeply nested XML. The issue is tracked under [CWE-400] and patched in version 1.0.2.

Critical Impact

A malicious .vmid file paired with a .gpp file can read local files, exhaust system memory, and crash the language server when opened in the IDE.

Affected Products

• SolidCAM-GPPL-IDE version 1.0.0
• SolidCAM-GPPL-IDE versions after 1.0.0 and before 1.0.2
• VMID file parser component using XDocument.Load(path) on .NET 8

Discovery Timeline

• 2026-05-08 - CVE-2026-42212 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-42212

Vulnerability Analysis

The SolidCAM-GPPL-IDE extension provides language server functionality for SolidCAM postprocessor development. When a user opens a .gpp file, the language server automatically locates and parses a companion .vmid file using the naming convention foo.gpp to foo.vmid. The parsing routine invokes XDocument.Load(path) without passing hardened XmlReaderSettings. Under .NET 8 defaults, this configuration permits DTD processing and external entity resolution.

An attacker who can deliver a malicious .vmid file alongside a project's .gpp file gains three attack primitives. File disclosure occurs when external entity references resolve local filesystem paths and embed their contents into parsed nodes. Memory exhaustion follows from recursive entity expansion patterns such as billion-laughs constructions. Denial of service results from oversized payloads or deeply nested element trees that overwhelm the parser.

Root Cause

The root cause is insecure XML parser configuration. The XDocument.Load(path) overload inherits .NET 8 framework defaults that allow DTD processing. The developer did not pass an XmlReaderSettings object with DtdProcessing = DtdProcessing.Prohibit or XmlResolver = null to disable external entity resolution and DTD parsing.

Attack Vector

Exploitation requires user interaction. An attacker delivers a project directory containing a benign-looking .gpp file and a malicious .vmid file. When the victim opens the .gpp file in Visual Studio Code with the SolidCAM-GPPL-IDE extension installed, the language server automatically parses the adjacent .vmid file. The malicious XML payload then triggers external entity resolution, entity expansion, or parser exhaustion. No authentication is required, and the network attack vector applies because malicious project files commonly travel through repositories, archives, or shared drives.

Technical implementation details and the patch diff are available in the GitHub Security Advisory GHSA-92vg-f4fq-fxm9 and the fix commit.

Detection Methods for CVE-2026-42212

Indicators of Compromise

• Presence of .vmid files containing <!DOCTYPE declarations or <!ENTITY definitions referencing external URIs or local file paths such as file:///.
• .vmid files with abnormally large size or deeply nested XML element structures inconsistent with legitimate VMID machine definition files.
• Language server process spikes in memory consumption or unresponsive states immediately after opening a .gpp file.

Detection Strategies

• Scan repositories and project directories for .vmid files containing DTD declarations or external entity references before opening them in the IDE.
• Inspect installed extension versions and flag any SolidCAM-GPPL-IDE installation reporting a version below 1.0.2.
• Monitor child processes of Visual Studio Code or the language server for outbound network connections initiated during XML parsing.

Monitoring Recommendations

• Log file access events from the SolidCAM-GPPL-IDE language server process and alert on reads of sensitive files such as /etc/passwd, SSH keys, or credential stores.
• Track memory usage of language server processes and trigger alerts on sudden growth consistent with entity expansion attacks.
• Monitor developer workstations for project directories pulled from untrusted sources containing paired .gpp and .vmid files.

How to Mitigate CVE-2026-42212

Immediate Actions Required

• Upgrade SolidCAM-GPPL-IDE to version 1.0.2 or later through the Visual Studio Code marketplace.
• Audit existing project directories for untrusted .vmid files and remove or quarantine any containing DTD declarations.
• Restrict opening of .gpp files received from external or untrusted sources until the extension is patched.

Patch Information

Version 1.0.2 resolves the vulnerability by hardening the VMID parser configuration. The fix is published in the GitHub Release v1.0.2 and documented in the version 1.0.2 changelog. The patched parser disables DTD processing and external entity resolution when loading .vmid files.

Workarounds

• Disable or uninstall the SolidCAM-GPPL-IDE extension until upgrading to version 1.0.2.
• Open .gpp files only from trusted project sources where the accompanying .vmid files have been reviewed.
• Pre-scan project archives for XML files containing <!DOCTYPE or <!ENTITY constructs before extracting them into development environments.

# Identify potentially malicious .vmid files in a project tree
grep -rlE '<!DOCTYPE|<!ENTITY' --include='*.vmid' /path/to/projects