High severity7.5OSV Advisory· Published Jun 24, 2025· Updated Apr 15, 2026
CVE-2025-52888
CVE-2025-52888
Description
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.qameta.allure.plugins:xunit-xml-pluginMaven | < 2.34.1 | 2.34.1 |
io.qameta.allure.plugins:junit-xml-pluginMaven | < 2.34.1 | 2.34.1 |
io.qameta.allure.plugins:trx-pluginMaven | < 2.34.1 | 2.34.1 |
Affected products
4- ghsa-coords3 versionspkg:maven/io.qameta.allure.plugins/junit-xml-pluginpkg:maven/io.qameta.allure.plugins/trx-pluginpkg:maven/io.qameta.allure.plugins/xunit-xml-plugin
< 2.34.1+ 2 more
- (no CPE)range: < 2.34.1
- (no CPE)range: < 2.34.1
- (no CPE)range: < 2.34.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.