VYPR
High severity7.5OSV Advisory· Published Jun 24, 2025· Updated Apr 15, 2026

CVE-2025-52888

CVE-2025-52888

Description

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.qameta.allure.plugins:xunit-xml-pluginMaven
< 2.34.12.34.1
io.qameta.allure.plugins:junit-xml-pluginMaven
< 2.34.12.34.1
io.qameta.allure.plugins:trx-pluginMaven
< 2.34.12.34.1

Affected products

4

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.