GHSA-rqfh-9r24-8c9r · Severity: high · Ecosystem: maven — AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
Conclusion & alert: CVE-2026-24400 is rated Moderate Risk (47.7/100): CVSS High severity, with low exploitation likelihood (EPSS 0.54%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.01% | 0.54% | +0.54% |
| 2 | 2026-01-27 | — | 0.01% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.2 | 4.0 | HIGH |
|
— | — | [email protected] |
| 9.1 | 3.1 | CRITICAL |
|
3.9 | 5.2 | [email protected] |
GHSA-rqfh-9r24-8c9r · Severity: high · Ecosystem: maven — AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-24400 not yet assigned priority: Debian including 1 source packages (assertj-core), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 5. | https://security-tracker.debian.org/tracker/CVE-2026-24400 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-24400 |
suse
|
medium | CVE-2026-24400 severity moderate: SUSE including 11 source package names (13.2-9.1:libpython3_11-1_0-3.11.12-1.1, 13.2-9.1:python311-base-3.11.12-1.1, …), 60 product×package rows across 29 product lines (Container suse/sl-micro/6.0/toolbox, Image SL-Micro-Azure, … (29 product lines)): Fixed 58, First Fixed 2. | https://www.suse.com/security/cve/CVE-2026-24400/ |
ubuntu
|
medium | CVE-2026-24400 medium priority: Ubuntu including 1 source packages (assertj-core), 7 status rows across 7 suites (bionic, focal, jammy, noble, questing, upstream, xenial): needs-triage 7. | https://ubuntu.com/security/CVE-2026-24400 |
| URL | Tags |
|---|---|
| https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html | Technical Description |
| https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a | Patch |
| https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 | Product Release Notes |
| https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r | Mitigation Vendor Advisory |