CVE-2026-24400
Unknown Unknown - Not Provided

XML External Entity (XXE) Vulnerability in AssertJ XML Formatter

Vulnerability report for CVE-2026-24400, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-26

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description

AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-26
Last Modified
2026-03-09
Generated
2026-07-06
AI Q&A
2026-01-27
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
assertj assertj From 1.4.0 (inc) to 3.27.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an XML External Entity (XXE) issue in AssertJ versions from 1.4.0 up to before 3.27.7. It occurs in the XmlStringPrettyFormatter class's toXmlDocument(String) method, which initializes XML parsing without disabling DTDs or external entities. When untrusted XML input is processed using the isXmlEqualTo(CharSequence) assertion or xmlPrettyFormat(String), an attacker can exploit this to read arbitrary local files, perform Server-Side Request Forgery (SSRF), or cause Denial of Service via entity expansion attacks.

Impact Analysis

If your application uses affected versions of AssertJ and processes untrusted XML input with the vulnerable methods, an attacker could read sensitive local files (like /etc/passwd), perform SSRF attacks to access internal network resources, or cause Denial of Service by exploiting entity expansion. This can lead to data exposure, network compromise, or service disruption.

Mitigation Strategies

To mitigate this vulnerability, you should: 1) Replace the use of isXmlEqualTo(CharSequence) with XMLUnit, 2) Upgrade AssertJ to version 3.27.7 or later, or 3) Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted XML input.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart