CVE-2026-24400
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
Description
An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with one of the following methods: - `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` - `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter` ### Impact If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could: - **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files) - **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs - **Cause Denial of Service** via "Billion Laughs" entity expansion attacks ### Mitigation `isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: 1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or 2. Upgrade to version 3.27.7, or 3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. ### References - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html) - [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
How to fix CVE-2026-24400
To remediate CVE-2026-24400, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.27.7 or later
Is CVE-2026-24400 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.