CVE-2026-24400

AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html	Technical Description
https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a	Patch
https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7	Product Release Notes
https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:assertj:assertj:*:*:*:*:*:*:*:*

History

09 Mar 2026, 14:15

Type	Values Removed	Values Added
Summary		(es) AssertJ proporciona aserciones de prueba fluidas para Java y la Máquina Virtual de Java (JVM). A partir de la versión 1.4.0 y antes de la versión 3.27.7, existe una vulnerabilidad de Entidad Externa XML (XXE) en `org.assertj.core.util.xml.XmlStringPrettyFormatter`: el método `toXmlDocument(String)` inicializa `DocumentBuilderFactory` con configuraciones predeterminadas, sin deshabilitar DTDs o entidades externas. Este formateador es utilizado por la aserción `isXmlEqualTo(CharSequence)` para valores `CharSequence`. Una aplicación es vulnerable solo cuando utiliza entrada XML no confiable con `isXmlEqualTo(CharSequence)` de `org.assertj.core.api.AbstractCharSequenceAssert` o `xmlPrettyFormat(String)` de `org.assertj.core.util.xml.XmlStringPrettyFormatter`. Si la entrada XML no confiable es procesada por uno de estos métodos, un atacante podría leer archivos locales arbitrarios a través de URIs `file://` (por ejemplo, `/etc /passwd`, archivos de configuración de la aplicación); realizar Falsificación de Petición del Lado del Servidor (SSRF) a través de URIs HTTP/HTTPS, y/o causar Denegación de Servicio a través de ataques de expansión de entidad "Billion Laughs". `isXmlEqualTo(CharSequence)` ha sido desaprobado a favor de XMLUnit en la versión 3.18.0 y será eliminado en la versión 4.0. Los usuarios de las versiones afectadas deberían, en orden de preferencia: reemplazar `isXmlEqualTo(CharSequence)` con XMLUnit, actualizar a la versión 3.27.7, o evitar usar `isXmlEqualTo(CharSequence)` o `XmlStringPrettyFormatter` con entrada no confiable. `XmlStringPrettyFormatter` históricamente ha sido considerado una utilidad para `isXmlEqualTo(CharSequence)` en lugar de una característica para los usuarios de AssertJ, por lo que es desaprobado en la versión 3.27.7 y eliminado en la versión 4.0, sin reemplazo.
References	~~() https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html -~~	() https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html - Technical Description
References	~~() https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a -~~	() https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a - Patch
References	~~() https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 -~~	() https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 - Product, Release Notes
References	~~() https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r -~~	() https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r - Mitigation, Vendor Advisory
First Time		Assertj Assertj assertj
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CPE		cpe:2.3:a:assertj:assertj::::::::

26 Jan 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 23:16

Updated : 2026-03-09 14:15

NVD link : CVE-2026-24400

Mitre link : CVE-2026-24400

CVE.ORG link : CVE-2026-24400

JSON object : View

Products Affected

assertj

assertj

CWE

CWE-611

Improper Restriction of XML External Entity Reference

9.1 /10