Description
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
Published: 2026-01-26
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Read arbitrary local files and execute SSRF via XXE in AssertJ XML parsing
Action: Immediate Patch
AI Analysis

Impact

AssertJ contains an XXE vulnerability in the XmlStringPrettyFormatter used by the isXmlEqualTo assertion for CharSequence values. The formatter initializes a DocumentBuilderFactory with default settings, allowing the parser to process external entities. An attacker can cause the library to read arbitrary local files through file:// URIs, perform Server‑Side Request Forgery to external HTTP or HTTPS resources, and trigger denial of service by exploiting entity expansion attacks. The flaw corresponds to CWE‑611 (XML External Entity (XXE) Processing).

Affected Systems

The vulnerable code exists in AssertJ versions from 1.4.0 up to 3.27.6, inclusive. It affects the AssertJ library (assertj:assertj) when its isXmlEqualTo(CharSequence) assertion or the XmlStringPrettyFormatter are used with XML data that can be controlled by an attacker.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity impact if successfully exploited. However, the EPSS score of <1% shows a very low likelihood that attackers have found or will use exploits in the wild, and the vulnerability is not listed in the CISA KEV catalogue. The typical attack scenario requires the application to pass untrusted XML input into the isXmlEqualTo or XmlStringPrettyFormatter methods, which may occur in test suites or build pipelines that ingest external XML. While the vector is not publicly exploitable in a generic remote context, any environment where untrusted XML is processed by AssertJ remains at risk.

Generated by OpenCVE AI on April 18, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AssertJ to version 3.27.7 or later, which deprecates and removes the vulnerable formatter
  • Replace calls to isXmlEqualTo(CharSequence) with XMLUnit or remove those assertions entirely
  • Ensure that any input passed to isXmlEqualTo or XmlStringPrettyFormatter is strictly trusted, or sanitise it to disallow external entities before parsing

Generated by OpenCVE AI on April 18, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rqfh-9r24-8c9r AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
History

Mon, 09 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:assertj:assertj:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Wed, 28 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}

threat_severity

Moderate

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Assertj
Assertj assertj
Vendors & Products Assertj
Assertj assertj

Mon, 26 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.
Title AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion
Weaknesses CWE-611
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N'}

Subscriptions

Assertj Assertj
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-27T21:36:26.716Z

Reserved: 2026-01-22T18:19:49.172Z

Link: CVE-2026-24400

cve-icon Vulnrichment

Updated: 2026-01-27T21:36:22.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T23:16:08.803

Modified: 2026-03-09T14:15:14.980

Link: CVE-2026-24400

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-26T22:19:02Z

Links: CVE-2026-24400 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:45:27Z

Weaknesses