XXE on https://duckduckgo.com
Discovered by mik317 on Duckduckgo

This issue took 0 Days and 0 hours to triage and 0 Days and 12 hours to resolve once triaged.

An XML External Entity (XXE) injection vulnerability was discovered in the <code>x.js</code> endpoint on <a title="https://duckduckgo.com&quot; href="/redirect?signature=704d370d35afd5f3eff200c403f67a3995ef86fa&amp;url=https%3A%2F%2Fduckduckgo.com" target="_blank" rel="nofollow noopener noreferrer"><span>https://duckduckgo.com&lt;/span&gt;&lt;i class="icon-external-link"></i></a> via <code>u</code> parameter. This was due to improper sanitation of external XML entities. The results was a leak of certain world readable files on the system.

This issue was patched. Additionally, we intend to retire the endpoint in the very near future.

Big thanks to <a href="/mik317">@mik317</a> for reporting this issue!