CVE-2024-55875
Published: 12 December 2024
Summary
CVE-2024-55875 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
http4k is a functional toolkit for building Kotlin HTTP applications. Prior to version 6.50.0.0, the library's default XML parsing logic used by Body.xml() and Document.asXmlDocument() was vulnerable to XML External Entity (XXE) injection when processing untrusted input. An initial mitigation shipped in the 5.41.0.0 and 4.50.0.0 branches blocked external entity resolution, but left the parser accepting <!DOCTYPE> declarations and therefore still exposed to internal entity expansion attacks such as billion-laughs denial of service.
An unauthenticated remote attacker can supply a crafted XML document in an HTTP request to any application using the affected parsing methods. Successful exploitation can result in disclosure of local files, server-side request forgery, remote code execution under certain configurations, or resource-exhaustion denial of service through recursive entity expansion.
The project security advisory and accompanying commit close the remaining attack surface in 6.50.0.0 by setting disallow-doctype-decl=true together with FEATURE_SECURE_PROCESSING=true on the default DocumentBuilderFactory configuration, causing any document containing a <!DOCTYPE> declaration to be rejected at parse time. Users are advised to upgrade to this release; no work-arounds are documented in the references. The EPSS score has remained flat at 0.0805 with no material post-disclosure increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3444
Vulnerability details
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information…
more
on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts to access or extract sensitive data, revealing exposure of sensitive information to unauthorized actors.
Identifies XML external entity processing via monitoring of unusual file/network access or resource usage.
Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.
Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.
Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.
By enforcing authorization matching prior to sharing, the control reduces the risk of exposing sensitive information to unauthorized actors.
Review and removal of nonpublic information from publicly accessible systems directly prevents exposure of sensitive data to unauthorized actors.
Data mining protection mechanisms detect and block unauthorized bulk extraction of sensitive data, directly mitigating exposure to unauthorized actors.