What is CVE-2026-24400?

An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with one of the following methods: - `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` - `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter` ### Impact If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could: - **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files) - **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs - **Cause Denial of Service** via "Billion Laughs" entity expansion attacks ### Mitigation `isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: 1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or 2. Upgrade to version 3.27.7, or 3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. ### References - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html) - [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)

What is the severity of CVE-2026-24400?

CVE-2026-24400 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-24400?

No known public exploits are currently available for CVE-2026-24400.

Is there a patch available for CVE-2026-24400?

Yes, patches are available for CVE-2026-24400. Check the vendor advisories for update instructions.

CVE-2026-24400 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter

Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
Cause Denial of Service via "Billion Laughs" entity expansion attacks

Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

Replace isXmlEqualTo(CharSequence) with XMLUnit, or
Upgrade to version 3.27.7, or
Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

CWE-611: Improper Restriction of XML External Entity Reference

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com Github.com