Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-24400

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
Back to all
CVE

CVE-2026-24400

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.2
-
4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.3
-
3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Related Resources

No items found.

References

https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r, https://nvd.nist.gov/vuln/detail/CVE-2026-24400, https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a, https://cheatsheetseries.owasp.org/cheatsheets/XMLExternalEntityPreventionCheat_Sheet.html, https://github.com/assertj/assertj, https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7

Severity

7.3

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.3
EPSS Probability
0.00012%
EPSS Percentile
0.01731%
Introduced Version
4.0.0-M1,1.4.0,1.0.0m1
Fix Available
3.27.7

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading