CVE-2026-24400

AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values. An application is vulnerable only when it uses untrusted XML input with either isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert or xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via "Billion Laughs" entity expansion attacks. isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace isXmlEqualTo(CharSequence) with XMLUnit, upgrade to version 3.27.7, or avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input. XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

Database specific

{
    "cwe_ids": [
        "CWE-611"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24400.json"
}

References

Affected packages

Git / github.com/assertj/assertj

Affected ranges

Type: GIT
Repo: https://github.com/assertj/assertj
Events: Introduced

dd1322636590a74cb00d1f9b1c1f5014f4487086

Fixed

e84071667f5f8f13084af9dfa54cee5fd9db18db

Affected versions

assertj-build-3.*

assertj-build-3.24.0

assertj-build-3.24.1

assertj-build-3.25.0

assertj-build-3.25.1

assertj-build-3.25.2

assertj-build-3.25.3

assertj-build-3.26.0

assertj-build-3.26.3

assertj-build-3.27.0

assertj-build-3.27.1

assertj-build-3.27.2

assertj-build-3.27.3

assertj-build-3.27.4

assertj-build-3.27.5

assertj-build-3.27.6

assertj-core-1.*

assertj-core-1.4.0

assertj-core-1.5.0

assertj-core-1.6.0

assertj-core-1.6.1

assertj-core-1.7.0

assertj-core-2.*

assertj-core-2.0.0

assertj-core-2.1.0

assertj-core-2.2.0

assertj-core-2.3.0

assertj-core-2.4.0

assertj-core-2.4.1

assertj-core-2.5.0

assertj-core-2.6.0

assertj-core-2.7.0

assertj-core-2.8.0

assertj-core-2.9.0

assertj-core-3.*

assertj-core-3.0.0

assertj-core-3.1.0

assertj-core-3.10.0

assertj-core-3.11.0

assertj-core-3.11.1

assertj-core-3.12.0

assertj-core-3.12.1

assertj-core-3.12.2

assertj-core-3.13.0

assertj-core-3.13.1

assertj-core-3.13.2

assertj-core-3.14.0

assertj-core-3.15.0

assertj-core-3.16.0

assertj-core-3.16.1

assertj-core-3.17.0

assertj-core-3.17.1

assertj-core-3.17.2

assertj-core-3.18.0

assertj-core-3.18.1

assertj-core-3.19.0

assertj-core-3.2.0

assertj-core-3.20.0

assertj-core-3.20.1

assertj-core-3.20.2

assertj-core-3.21.0

assertj-core-3.22.0

assertj-core-3.23.0

assertj-core-3.23.1

assertj-core-3.3.0

assertj-core-3.4.0

assertj-core-3.4.1

assertj-core-3.5.0

assertj-core-3.5.1

assertj-core-3.5.2

assertj-core-3.6.0

assertj-core-3.6.1

assertj-core-3.7.0

assertj-core-3.8.0

assertj-core-3.9.0

assertj-core-3.9.1

assertj-core-java8-1.*

assertj-core-java8-1.0.0m1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24400.json"