AssertJ, XML External Entity (XXE) Vulnerability, Critical

Listen to this Post

The vulnerability exists in the `toXmlDocument(String)` method of `XmlStringPrettyFormatter` within the AssertJ library. This method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entity processing. When untrusted XML input is passed to the `isXmlEqualTo(CharSequence)` assertion or the `xmlPrettyFormat(String)` utility, the XML parser resolves external entities. An attacker can craft malicious XML containing external entity references. For example, using `file://` URIs, the parser can read arbitrary local files such as `/etc/passwd` or application configuration files. Similarly, external entities with HTTP/HTTPS URIs enable Server-Side Request Forgery (SSRF), allowing requests to internal systems. Additionally, nested entity expansions like the “Billion Laughs” attack can cause Denial of Service by consuming excessive memory. The vulnerability is exploitable only when these methods are used with untrusted XML, often in test environments handling external fixture files. The default factory configuration lacks security features like FEATURE_SECURE_PROCESSING, leaving the application exposed. Since `XmlStringPrettyFormatter` is used internally by isXmlEqualTo, any test using this assertion with user-controlled data is at risk. Mitigation requires disabling DTDs or using secure XML parsers. AssertJ has deprecated the vulnerable methods and provided fixes in later versions.
Platform: AssertJ
Version: Before 3.27.7
Vulnerability: XML External Entity
Severity: Critical
date: Not specified

Prediction: Patched in 3.27.7

What Undercode Say:

Analytics:

Check AssertJ version in Maven
mvn dependency:tree | grep assertj-core
Vulnerable code example
assertThat(untrustedXml).isXmlEqualTo(expectedXml);
XXE payload for file read
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><test>&xxe;</test>

How Exploit:

Provide malicious XML with external entities to `isXmlEqualTo` or xmlPrettyFormat. Use `file://` URIs to read local files. Use HTTP entities for SSRF attacks. Exploit test fixtures from untrusted sources.

Protection from this CVE:

Upgrade to AssertJ 3.27.7. Replace `isXmlEqualTo` with XMLUnit. Avoid untrusted XML input. Disable DTDs in parsers.

Impact:

Arbitrary file read, SSRF, Denial of Service.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top