VYPR
← All advisories
High severityOSV Advisory· Published Jan 26, 2026· Updated Jan 27, 2026

AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400

Description

AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values. An application is vulnerable only when it uses untrusted XML input with either isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert or xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace isXmlEqualTo(CharSequence) with XMLUnit, upgrade to version 3.27.7, or avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input. XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.assertj:assertj-coreMaven
>= 1.4.0, < 3.27.73.27.7

Affected products

1
  • Assertj/AssertjOSV
    Range: assertj-build-3.24.0, assertj-build-3.24.1, assertj-build-3.25.0, …

Patches

1
85ca7eb6609b

Deprecate `XmlStringPrettyFormatter`

https://github.com/assertj/assertjStefano CordioJan 24, 2026via ghsa
commit
2 files changed · +5 3
  • assertj-core/src/main/java/org/assertj/core/util/xml/XmlStringPrettyFormatter.java+5 0 modified
    @@ -41,7 +41,12 @@
  * Very much inspired by http://stackoverflow.com/questions/139076/how-to-pretty-print-xml-from-java and
  * http://pastebin.com/XL7932aC
  * </p>
+ * @deprecated this is an internal utility for
+ * {@link org.assertj.core.api.AbstractCharSequenceAssert#isXmlEqualTo(CharSequence) isXmlEqualTo(CharSequence)}
+ * rather than a feature for AssertJ users, therefore its usage is discouraged and
+ * no replacement is provided.
  */
+@Deprecated
 public class XmlStringPrettyFormatter {
 
   private static final String FORMAT_ERROR = "Unable to format XML string";
  • assertj-tests/assertj-integration-tests/assertj-core-tests/src/test/java/org/assertj/tests/core/util/xml/XmlStringPrettyFormatter_prettyFormat_Test.java+0 3 modified
    @@ -18,14 +18,11 @@
 import static org.assertj.core.api.Assertions.catchException;
 import static org.assertj.core.api.BDDAssertions.then;
 import static org.assertj.core.util.xml.XmlStringPrettyFormatter.xmlPrettyFormat;
-import static org.junit.jupiter.params.provider.Arguments.argumentSet;
 
 import java.math.BigDecimal;
-import java.util.List;
 
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.FieldSource;
 import org.junit.jupiter.params.provider.ValueSource;
 import org.junitpioneer.jupiter.DefaultLocale;
 import org.xml.sax.SAXParseException;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.