CVE-2026-24400
AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
描述
An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with one of the following methods: - `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` - `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter` ### Impact If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could: - **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files) - **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs - **Cause Denial of Service** via "Billion Laughs" entity expansion attacks ### Mitigation `isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: 1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or 2. Upgrade to version 3.27.7, or 3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. ### References - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html) - [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
如何修補 CVE-2026-24400
要修補 CVE-2026-24400,請將受影響套件升級到下列已修補版本。
- —未列出修補版本
- —升級至 3.27.7 或更新版本
CVE-2026-24400 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。