CVE-2024-31573
BaseFortify
Publication date: 2025-10-17
Last updated on: 2025-10-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xmlunit | xmlunit | 2.10.0 |
| xmlunit | xmlunit | 2.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-669 | The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-31573 is a vulnerability in XMLUnit for Java versions before 2.10.0 where the default configuration allows XSLT extension functions to be enabled during transformations. This means that if XMLUnit processes an untrusted XSLT stylesheet, it could allow arbitrary code execution. The vulnerability arises because the software does not disable these extension functions by default, which can be exploited by malicious stylesheets to execute code. This issue was fixed in version 2.10.0 by disabling extension functions by default. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution if an attacker provides a malicious XSLT stylesheet that XMLUnit processes. This could allow an attacker to execute arbitrary code on the system running the vulnerable XMLUnit version, potentially compromising the system's security and integrity. The impact is rated as low severity but still poses a risk if untrusted stylesheets are processed without proper configuration. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying usage of XMLUnit for Java versions prior to 2.10.0 that perform XSLT transformations with untrusted stylesheets and have extension functions enabled. Since the vulnerability arises from insecure default settings in XMLUnit's XSLT processing, you can detect it by checking the version of XMLUnit in your environment and reviewing code or configurations that perform XSLT transformations without disabling extension functions. There are no specific network commands provided to detect exploitation attempts. However, reviewing application logs for unexpected XSLT transformation activity or suspicious execution patterns may help. Additionally, verifying the XMLUnit version can be done by inspecting your project's dependencies or build files (e.g., Maven's pom.xml or Gradle files). [1, 2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade XMLUnit for Java to version 2.10.0 or later, where the default behavior disables XSLT extension functions. If upgrading is not immediately possible, explicitly configure the TraX TransformerFactory to disable extension functions when performing XSLT transformations using XMLUnit's setFactory or setTransformerFactory methods available since version 2.0.0. Avoid processing untrusted stylesheets or ensure that any XSLT transformations are performed with extension functions disabled to prevent arbitrary code execution. [1, 3]