CVE-2026-24400
Published: 26 January 2026
Summary
CVE-2026-24400 is a critical-severity Improper Restriction of XML External Entity Reference (CWE-611) vulnerability in Assertj Assertj. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the XXE flaw in AssertJ by upgrading to version 3.27.7 where external entities and DTDs are disabled.
Prevents XXE exploitation by validating untrusted XML inputs to the isXmlEqualTo or xmlPrettyFormat methods against malicious entities, URIs, or expansions.
Enforces secure configuration settings for XML parsers like DocumentBuilderFactory to disable DTDs and external entities, mitigating the library's default insecure behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XXE directly enables remote exploitation of public-facing apps (T1190) via untrusted XML, arbitrary local file reads (T1005), and resource exhaustion DoS via entity expansion (T1499.004).
NVD Description
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without…
more
disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
Deeper analysisAI
CVE-2026-24400 is an XML External Entity (XXE) vulnerability in AssertJ, a fluent testing assertions library for Java and the Java Virtual Machine (JVM). It affects versions starting from 1.4.0 up to but not including 3.27.7, specifically in the `org.assertj.core.util.xml.XmlStringPrettyFormatter` class. The vulnerable `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings that do not disable Document Type Definitions (DTDs) or external entities. This issue is triggered when applications process untrusted XML input using either the `isXmlEqualTo(CharSequence)` assertion from `org.assertj.core.api.AbstractCharSequenceAssert` or the `xmlPrettyFormat(String)` method from `XmlStringPrettyFormatter`. The `isXmlEqualTo` method has been deprecated since version 3.18.0 in favor of XMLUnit and is scheduled for removal in version 4.0.
The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating high severity due to network accessibility with low complexity and no privileges required. Remote attackers can exploit it by supplying malicious XML payloads to affected methods in vulnerable applications. Successful exploitation enables reading arbitrary local files via `file://` URIs (such as `/etc/passwd` or configuration files), performing Server-Side Request Forgery (SSRF) attacks via HTTP/HTTPS URIs, or causing denial of service through entity expansion attacks like "Billion Laughs."
Advisories recommend mitigating by replacing `isXmlEqualTo(CharSequence)` with XMLUnit (preferred), upgrading to AssertJ version 3.27.7, or avoiding these methods with untrusted input. The `XmlStringPrettyFormatter` is deprecated in 3.27.7 and removed in 4.0, as it was primarily a utility for the deprecated assertion. Relevant resources include the GitHub security advisory (GHSA-rqfh-9r24-8c9r), the fixing commit (85ca7eb6609bb179c043b85ae7d290523b1ba79a), and the 3.27.7 release notes, along with the OWASP XML External Entity Prevention Cheat Sheet.
Details
- CWE(s)