Cyber Resilience

CVE-2024-55875

CriticalUpdated

Published: 12 December 2024

Published
12 December 2024
Modified
09 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0805 92.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55875 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

http4k is a functional toolkit for building Kotlin HTTP applications. Prior to version 6.50.0.0, the library's default XML parsing logic used by Body.xml() and Document.asXmlDocument() was vulnerable to XML External Entity (XXE) injection when processing untrusted input. An initial mitigation shipped in the 5.41.0.0 and 4.50.0.0 branches blocked external entity resolution, but left the parser accepting <!DOCTYPE> declarations and therefore still exposed to internal entity expansion attacks such as billion-laughs denial of service.

An unauthenticated remote attacker can supply a crafted XML document in an HTTP request to any application using the affected parsing methods. Successful exploitation can result in disclosure of local files, server-side request forgery, remote code execution under certain configurations, or resource-exhaustion denial of service through recursive entity expansion.

The project security advisory and accompanying commit close the remaining attack surface in 6.50.0.0 by setting disallow-doctype-decl=true together with FEATURE_SECURE_PROCESSING=true on the default DocumentBuilderFactory configuration, causing any document containing a <!DOCTYPE> declaration to be rejected at parse time. Users are advised to upgrade to this release; no work-arounds are documented in the references. The EPSS score has remained flat at 0.0805 with no material post-disclosure increase observed.

EU & UK References

Vulnerability details

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information…

more

on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Penetration testing attempts to access or extract sensitive data, revealing exposure of sensitive information to unauthorized actors.

addresses: CWE-611 CWE-918

Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

addresses: CWE-200

By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.

addresses: CWE-200

Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.

addresses: CWE-200

Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.

References