Medium severity4.0OSV Advisory· Published Oct 17, 2025· Updated Apr 15, 2026
CVE-2024-31573
CVE-2024-31573
Description
XMLUnit for Java before 2.10.0, in the default configuration, might allow code execution via an untrusted stylesheet (used for an XSLT transformation), because XSLT extension functions are enabled.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xmlunit:xmlunit-coreMaven | < 2.10.0 | 2.10.0 |
Affected products
1Patches
2b81d48b71dfddisable XSLT extension functions by default, add more configurers
1 file changed · +58 −2
xmlunit-core/src/main/java/org/xmlunit/util/TransformerFactoryConfigurer.java+58 −2 modified@@ -16,6 +16,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.Map; +import javax.xml.XMLConstants; import javax.xml.transform.TransformerConfigurationException; import javax.xml.transform.TransformerFactory; @@ -88,18 +89,51 @@ public static Builder builder() { } /** - * The default instance which disables DTD loading but still + * The default instance which disables DTD loading and extension functions but still * allows loading of external stylesheets. */ public static final TransformerFactoryConfigurer Default = builder() .withDTDLoadingDisabled() + .withExtensionFunctionsDisabled() + .build(); + + /** + * The instance which enables secure processing thus disables all external access as well as execution of extension + * functions. + * + * @since XMLUnit 2.10.0 + */ + public static final TransformerFactoryConfigurer SecureProcessing = builder() + .withSecureProcessingEnabled() .build(); /** * The instance which disables DTD loading as well as loading of - * external stylesheets. + * external stylesheets or extension functions. */ public static final TransformerFactoryConfigurer NoExternalAccess = builder() + .withDTDLoadingDisabled() + .withExternalStylesheetLoadingDisabled() + .withExtensionFunctionsDisabled() + .build(); + + /** + * The instance which disables DTD loading but still + * allows loading of external stylesheets and extension functions. + * + * @since XMLUnit 2.10.0 + */ + public static final TransformerFactoryConfigurer NoDtdButExtensionFunctions = builder() + .withDTDLoadingDisabled() + .build(); + + /** + * The instance which disables DTD loading as well as loading of + * external stylesheets but allows extension functions. + * + * @since XMLUnit 2.10.0 + */ + public static final TransformerFactoryConfigurer NoExternalAccessButExtensionFunctions = builder() .withDTDLoadingDisabled() .withExternalStylesheetLoadingDisabled() .build(); @@ -192,5 +226,27 @@ public Builder withExternalStylesheetLoadingDisabled() { // XMLConstants.ACCESS_EXTERNAL_STYLESHEET is not available in Java 6 return withSafeAttribute("http://javax.xml.XMLConstants/property/accessExternalStylesheet", ""); } + + /** + * Configures the factory to not enable extension functions. + * @return this + * + * @since XMLUnit 2.10.0 + */ + public Builder withExtensionFunctionsDisabled() { + return withSafeAttribute("jdk.xml.enableExtensionFunctions", "false"); + } + + /** + * Configures the factory to enable secure processing which disables all external access as well as execution of + * extension functions. + * @return this + * + * @since XMLUnit 2.10.0 + */ + public Builder withSecureProcessingEnabled() { + return withFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } + } }
33a5d6a28712Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-chfm-68vv-pvw5nvdADVISORY
- docs.oracle.com/en/java/javase/22/security/java-api-xml-processing-jaxp-security-guide.htmlghsaWEB
- github.com/xmlunit/xmlunit/commit/b81d48b71dfd2868bdfc30a3e17ff973f32bc15bnvdWEB
- github.com/xmlunit/xmlunit/issues/264nvdWEB
- github.com/xmlunit/xmlunit/security/advisories/GHSA-chfm-68vv-pvw5ghsaWEB
News mentions
0No linked articles in our index yet.