GHSA-RQFH-9R24-8C9R

Vulnerability from github – Published: 2026-01-26 21:31 – Updated: 2026-01-29 03:24
VLAI?
Summary
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity ?
8.2 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.27.6"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.assertj:assertj-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "3.27.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T21:31:41Z",
    "nvd_published_at": "2026-01-26T23:16:08Z",
    "severity": "HIGH"
  },
  "details": "An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values.\n\nAn application is vulnerable only when it uses untrusted XML input with one of the following methods:\n\n- `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert`\n- `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`\n\n### Impact\n\nIf untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:\n\n- **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files)\n- **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs\n- **Cause Denial of Service** via \"Billion Laughs\" entity expansion attacks\n\n### Mitigation\n\n`isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:\n\n1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or\n2. Upgrade to version 3.27.7, or\n3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input.\n\n`XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.\n\n### References\n\n- [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html)\n- [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)",
  "id": "GHSA-rqfh-9r24-8c9r",
  "modified": "2026-01-29T03:24:21Z",
  "published": "2026-01-26T21:31:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24400"
    },
    {
      "type": "WEB",
      "url": "https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/assertj/assertj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.