...
An attacker may attempt to cause denial of service or program crashes by manipulating the URI of the entity to refer to special files existing on the local file system, for . For example, by specifying /dev/random or /dev/tty as input URIs. This may URIs can crash or indefinitely block the a program indefinitely. This is called an XML external entity (XXE) attack. Because inclusion of replacement text from an external entity is optional, not all XML processors are vulnerable to external entity attacks.
...