{"id":"CVE-2026-24400","summary":"AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion","details":"AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via \"Billion Laughs\" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.","aliases":["GHSA-rqfh-9r24-8c9r"],"modified":"2026-04-10T05:40:47.193632Z","published":"2026-01-26T22:19:02.161Z","related":["SUSE-SU-2026:0344-1","SUSE-SU-2026:20604-1","openSUSE-SU-2026:10106-1","openSUSE-SU-2026:20298-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24400.json","cwe_ids":["CWE-611"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"type":"WEB","url":"https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24400.json"},{"type":"ADVISORY","url":"https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24400"},{"type":"FIX","url":"https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/assertj/assertj","events":[{"introduced":"dd1322636590a74cb00d1f9b1c1f5014f4487086"},{"fixed":"e84071667f5f8f13084af9dfa54cee5fd9db18db"}]}],"versions":["assertj-build-3.24.0","assertj-build-3.24.1","assertj-build-3.25.0","assertj-build-3.25.1","assertj-build-3.25.2","assertj-build-3.25.3","assertj-build-3.26.0","assertj-build-3.26.3","assertj-build-3.27.0","assertj-build-3.27.1","assertj-build-3.27.2","assertj-build-3.27.3","assertj-build-3.27.4","assertj-build-3.27.5","assertj-build-3.27.6","assertj-core-1.4.0","assertj-core-1.5.0","assertj-core-1.6.0","assertj-core-1.6.1","assertj-core-1.7.0","assertj-core-3.0.0","assertj-core-3.1.0","assertj-core-3.10.0","assertj-core-3.11.0","assertj-core-3.11.1","assertj-core-3.12.0","assertj-core-3.12.1","assertj-core-3.12.2","assertj-core-3.13.0","assertj-core-3.13.1","assertj-core-3.13.2","assertj-core-3.14.0","assertj-core-3.15.0","assertj-core-3.16.0","assertj-core-3.16.1","assertj-core-3.17.0","assertj-core-3.17.1","assertj-core-3.17.2","assertj-core-3.18.0","assertj-core-3.18.1","assertj-core-3.19.0","assertj-core-3.2.0","assertj-core-3.20.0","assertj-core-3.20.1","assertj-core-3.20.2","assertj-core-3.21.0","assertj-core-3.22.0","assertj-core-3.23.0","assertj-core-3.23.1","assertj-core-3.3.0","assertj-core-3.4.0","assertj-core-3.4.1","assertj-core-3.5.0","assertj-core-3.5.1","assertj-core-3.5.2","assertj-core-3.6.0","assertj-core-3.6.1","assertj-core-3.7.0","assertj-core-3.8.0","assertj-core-3.9.0","assertj-core-3.9.1","assertj-core-java8-1.0.0m1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24400.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N"}]}