CVE-2026-24400
Unknown Unknown - Not Provided
XML External Entity (XXE) Vulnerability in AssertJ XML Formatter

Publication date: 2026-01-26

Last updated on: 2026-03-09

Assigner: GitHub, Inc.

Description
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24400
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
assertj assertj From 1.4.0 (inc) to 3.27.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an XML External Entity (XXE) issue in AssertJ versions from 1.4.0 up to before 3.27.7. It occurs in the XmlStringPrettyFormatter class's toXmlDocument(String) method, which initializes XML parsing without disabling DTDs or external entities. When untrusted XML input is processed using the isXmlEqualTo(CharSequence) assertion or xmlPrettyFormat(String), an attacker can exploit this to read arbitrary local files, perform Server-Side Request Forgery (SSRF), or cause Denial of Service via entity expansion attacks.

Impact Analysis

If your application uses affected versions of AssertJ and processes untrusted XML input with the vulnerable methods, an attacker could read sensitive local files (like /etc/passwd), perform SSRF attacks to access internal network resources, or cause Denial of Service by exploiting entity expansion. This can lead to data exposure, network compromise, or service disruption.

Mitigation Strategies

To mitigate this vulnerability, you should: 1) Replace the use of isXmlEqualTo(CharSequence) with XMLUnit, 2) Upgrade AssertJ to version 3.27.7 or later, or 3) Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted XML input.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart