CVE-2026-24400: AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
(updated )
An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.
An application is vulnerable only when it uses untrusted XML input with one of the following methods:
isXmlEqualTo(CharSequence)fromorg.assertj.core.api.AbstractCharSequenceAssertxmlPrettyFormat(String)fromorg.assertj.core.util.xml.XmlStringPrettyFormatter
References
- cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- github.com/advisories/GHSA-rqfh-9r24-8c9r
- github.com/assertj/assertj
- github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a
- github.com/assertj/assertj/releases/tag/assertj-build-3.27.7
- github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r
- nvd.nist.gov/vuln/detail/CVE-2026-24400
Code Behaviors & Features
Detect and mitigate CVE-2026-24400 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →