assertj up to 3.27.6 toXmlDocument xml external entity reference
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.1 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in assertj up to 3.27.6. The impacted element is the function toXmlDocument of the component org.assertj.core.util.xml.XmlStringPrettyFormatter. Such manipulation leads to xml external entity reference.
This vulnerability is uniquely identified as CVE-2026-24400. Local access is required to approach this attack. No exploit exists.
You should upgrade the affected component.
Details
A vulnerability was found in assertj up to 3.27.6 and classified as problematic. Affected by this issue is the function toXmlDocument of the component org.assertj.core.util.xml.XmlStringPrettyFormatter. The manipulation with an unknown input leads to a xml external entity reference vulnerability. Using CWE to declare the problem leads to CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Impacted is confidentiality, integrity, and availability. CVE summarizes:
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
The advisory is shared for download at github.com. This vulnerability is handled as CVE-2026-24400 since 01/22/2026. The exploitation is known to be easy. The attack needs to be approached locally. There are known technical details, but no exploit is available.
The vulnerability scanner Nessus provides a plugin with the ID 296899 (Linux Distros Unpatched Vulnerability : CVE-2026-24400), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 3.27.7 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 85ca7eb6609bb179c043b85ae7d290523b1ba79a is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the databases at Tenable (296899) and EUVD (EUVD-2026-4724). Once again VulDB remains the best source for vulnerability data.
Product
Name
Version
License
Website
- Product: https://github.com/assertj/assertj/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒
CVSSv3
VulDB Meta Base Score: 7.2VulDB Meta Temp Score: 7.1
VulDB Base Score: 5.3
VulDB Temp Score: 5.1
VulDB Vector: 🔒
VulDB Reliability: 🔍
NVD Base Score: 9.1
NVD Vector: 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Xml external entity referenceCWE: CWE-611 / CWE-610
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 296899
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-24400
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: assertj 3.27.7
Patch: 85ca7eb6609bb179c043b85ae7d290523b1ba79a
Timeline
01/22/2026 CVE reserved01/27/2026 Advisory disclosed
01/27/2026 VulDB entry created
03/09/2026 VulDB entry last update
Sources
Product: github.comAdvisory: GHSA-rqfh-9r24-8c9r
Status: Confirmed
CVE: CVE-2026-24400 (🔒)
GCVE (CVE): GCVE-0-2026-24400
GCVE (VulDB): GCVE-100-342932
EUVD: 🔒
Entry
Created: 01/27/2026 02:18Updated: 03/09/2026 15:49
Changes: 01/27/2026 02:18 (71), 01/28/2026 18:31 (2), 01/28/2026 22:57 (1), 03/09/2026 15:49 (12)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.