Dromara HuTool XML Parsing Module XmlUtil.java readBySax xml external entity reference
Description
A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-3276 is a blind XXE vulnerability in Dromara HuTool up to v5.8.19, allowing arbitrary file reading via the readBySax function in XmlUtil.java.
Vulnerability
Description
The vulnerability resides in the XML parsing module of Dromara HuTool, a popular Java utility library. The readBySax function in XmlUtil.java uses SAXParserFactory without disabling external entity processing, leaving it susceptible to XML External Entity (XXE) attacks. Because no security features are explicitly configured, an attacker can supply a crafted XML document that references external entities [1][3].
Exploitation
Exploitation requires the attacker to control an XML document parsed by the vulnerable readBySax method. The attack is blind (no direct output), so the attacker leverages a malicious external DTD hosted on an HTTP server under their control. The DTD reads arbitrary local files (e.g., via file:// protocol) and exfiltrates the content through an out-of-band HTTP request to an attacker-controlled listener [3].
Impact
Successful exploitation allows an unauthenticated attacker to read arbitrary files on the target system, such as configuration files or credentials, potentially leading to further compromise. The vulnerability is classified as problematic, and an exploit has been publicly disclosed [1][3].
Mitigation
HuTool versions up to and including 5.8.19 are affected. A fix is not available from the vendor, who did not respond to disclosure attempts. Users should upgrade to a patched version (if released) or manually configure the DocumentBuilderFactory or SAXParserFactory to disable external entity processing as a workaround [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cn.hutool:hutool-coreMaven | <= 5.8.19 | — |
Affected products
2- Dromara/HuToolv5Range: 5.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- fbdhhhh47.github.io/2023/06/06/hutool-XXE/mitreexploit
- github.com/advisories/GHSA-p2qf-9vp6-3jjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-3276ghsaADVISORY
- fbdhhhh47.github.io/2023/06/06/hutool-XXEghsaWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.