Bug#1127938: assertj-core: CVE-2026-24400

Salvatore Bonaccorso carnil at debian.org
Sat Feb 14 14:41:42 GMT 2026 

Source: assertj-core
Version: 3.26.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for assertj-core.

CVE-2026-24400[0]:
| AssertJ provides Fluent testing assertions for Java and the Java
| Virtual Machine (JVM). Starting in version 1.4.0 and prior to
| version 3.27.7, an XML External Entity (XXE) vulnerability exists in
| `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the
| `toXmlDocument(String)` method initializes `DocumentBuilderFactory`
| with default settings, without disabling DTDs or external entities.
| This formatter is used by the `isXmlEqualTo(CharSequence)` assertion
| for `CharSequence` values. An application is vulnerable only when it
| uses untrusted XML input with either `isXmlEqualTo(CharSequence)`
| from `org.assertj.core.api.AbstractCharSequenceAssert` or
| `xmlPrettyFormat(String)` from
| `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted
| XML input is processed by tone of these methods, an attacker
| couldnread arbitrary local files via `file://` URIs (e.g.,
| `/etc/passwd`, application configuration files); perform Server-Side
| Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of
| Service via "Billion Laughs" entity expansion attacks.
| `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit
| in version 3.18.0 and will be removed in version 4.0. Users of
| affected versions should, in order of preference: replace
| `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version
| 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or
| `XmlStringPrettyFormatter` with untrusted input.
| `XmlStringPrettyFormatter` has historically been considered a
| utility for `isXmlEqualTo(CharSequence)` rather than a feature for
| AssertJ users, so it is deprecated in version 3.27.7 and removed in
| version 4.0, with no replacement.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-24400
    https://www.cve.org/CVERecord?id=CVE-2026-24400
[1] https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r
[2] https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list