DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24400: AssertJ XXE: When Test Code Bites Back

#security #cve #cybersecurity

AssertJ XXE: When Test Code Bites Back

Vulnerability ID: CVE-2026-24400
CVSS Score: 8.2
Published: 2026-01-26

A critical XML External Entity (XXE) vulnerability in AssertJ allows attackers to read local files or perform SSRF via malicious XML strings passed to assertion methods.

TL;DR

AssertJ, the beloved fluent assertion library for Java, failed to disable DTD processing in its internal XML pretty-printer. If you pass a malicious XML string to isXmlEqualTo(), the library blindly resolves external entities. This allows attackers to read files (like /etc/passwd) or hit internal network endpoints, potentially compromising CI/CD pipelines or production systems where test utilities are improperly used.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-611 (XXE)
  • CVSS 4.0: 8.2 (High)
  • Attack Vector: Local (Context Dependent)
  • Impact: High (Confidentiality)
  • Exploit Status: PoC Available
  • Patch Date: 2026-01-24

Affected Systems

  • Java applications using AssertJ < 3.27.7
  • CI/CD Pipelines running tests with AssertJ
  • Production systems improperly including test dependencies
  • AssertJ Core: >= 1.4.0, < 3.27.7 (Fixed in: 3.27.7)

Code Analysis

Commit: 85ca7eb

Disable DTDs and external entities in XmlStringPrettyFormatter

@@ -70,6 +75,12 @@
   private static Document toXmlDocument(String xmlString) throws Exception {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
     DocumentBuilder builder = factory.newDocumentBuilder();
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Disable DTD processing in all XML parsers by default.
  • Isolate CI/CD build agents to prevent access to internal networks (SSRF protection).
  • Audit usage of test libraries in production code artifacts.

Remediation Steps:

  1. Upgrade assertj-core dependency to version 3.27.7 or later.
  2. Replace usages of isXmlEqualTo with XMLUnit or similar dedicated libraries.
  3. Scan codebase for direct usage of org.assertj.core.util.xml.XmlStringPrettyFormatter.

References

Read the full report for CVE-2026-24400 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)