CVE-2024-52807

High

Published: 24 January 2025

Published

24 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score 0.0003 9.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52807 is a high-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of the HL7 FHIR IG publisher to version 1.7.4, which remediates the XXE vulnerability in XSLT transform components.

SI-10 Information Input Validation good match

prevent

Requires validation of XML inputs to detect and block malicious DTD tags that enable external entity injection during processing by the publisher.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration of XML parsers and XSLT processors to disable external entity resolution, addressing the root cause of the XXE vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

XXE enables remote file read via crafted XML input to a network-accessible publisher component (T1190) and directly facilitates collection of arbitrary local files/data from the host (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The HL7 FHIR IG publisher is a tool to take a set of inputs and create a standard FHIR IG. Prior to version 1.7.4, XSLT transforms performed by various components are vulnerable to XML external entity injections. A processed XML…

file with a malicious DTD tag `( ]>` could produce XML containing data from the host system. This impacts use cases where org.hl7.fhir.publisher is being used to within a host where external clients can submit XML. A previous release provided an incomplete solution revealed by new testing. This issue has been patched as of version 1.7.4. No known workarounds are available.

Deeper analysisAI

CVE-2024-52807 is an XML external entity (XXE) injection vulnerability, classified under CWE-611, affecting the HL7 FHIR Implementation Guide (IG) publisher prior to version 1.7.4. This tool processes inputs to generate standard FHIR IGs and performs XSLT transforms on XML files. A malicious DTD tag, such as one containing `]>` , in a processed XML file can lead to the inclusion of sensitive data from the host system in the output XML. The vulnerability was incompletely addressed in a prior release, as revealed by additional testing.

The issue enables exploitation in scenarios where the org.hl7.fhir.publisher component runs on a host that accepts XML submissions from external clients. An unauthenticated attacker with network access (AV:N/AC:L/PR:N/UI:N) can submit crafted XML, achieving high confidentiality impact (C:H) with a changed scope (S:C), as scored at CVSS 8.6. Successful exploitation allows the attacker to extract data from the host system, such as local files, without requiring privileges, user interaction, or impacting integrity or availability.

Mitigation is available via upgrade to version 1.7.4, which patches the XSLT transform components. Relevant details are documented in the GitHub security advisory (GHSA-8c3x-hq82-gjcm), the commit fixing the issue (3560de2f486d688a3ddcf4aa54d8bdacea380c3d), and the release comparison between 1.7.3 and 1.7.4. No workarounds are known.

Details

CWE(s): CWE-611

CVEs Like This One

CVE-2025-0162Shared CWE-611

CVE-2025-61813Shared CWE-611

CVE-2026-41066Shared CWE-611

CVE-2024-56324Shared CWE-611

CVE-2026-1567Shared CWE-611

CVE-2024-49781Shared CWE-611

CVE-2025-36589Shared CWE-611

CVE-2026-29924Shared CWE-611

CVE-2025-68493Shared CWE-611

CVE-2025-54254Shared CWE-611

References

https://github.com/HL7/fhir-ig-publisher/commit/3560de2f486d688a3ddcf4aa54d8bdacea380c3d
security-advisories@github.com
https://github.com/HL7/fhir-ig-publisher/compare/1.7.3...1.7.4
security-advisories@github.com
https://github.com/HL7/fhir-ig-publisher/security/advisories/GHSA-8c3x-hq82-gjcm
security-advisories@github.com