CVE-2025-52888 (GCVE-0-2025-52888)
Vulnerability from cvelistv5 – Published: 2025-06-24 19:45 – Updated: 2025-06-24 19:56
VLAI?
Title
Allure 2's xunit-xml-plugin Vulnerable to Improper XXE Restriction
Summary
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
Severity ?
7.5 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| allure-framework | allure2 |
Affected:
< 2.34.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52888",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T19:56:24.747546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T19:56:50.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "allure2",
"vendor": "allure-framework",
"versions": [
{
"status": "affected",
"version": "\u003c 2.34.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T19:45:22.854Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg"
},
{
"name": "https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7"
}
],
"source": {
"advisory": "GHSA-h7qf-qmf3-85qg",
"discovery": "UNKNOWN"
},
"title": "Allure 2\u0027s xunit-xml-plugin Vulnerable to Improper XXE Restriction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52888",
"datePublished": "2025-06-24T19:45:22.854Z",
"dateReserved": "2025-06-20T17:42:25.709Z",
"dateUpdated": "2025-06-24T19:56:50.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-52888\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-24T20:15:26.700\",\"lastModified\":\"2025-06-26T18:58:14.280\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"Allure 2 es la versi\u00f3n 2.x de Allure Report, una herramienta multiling\u00fce para la generaci\u00f3n de informes de pruebas. Existe una vulnerabilidad cr\u00edtica de Entidad Externa XML (XXE) en el complemento xunit-xml utilizado por Allure 2 en versiones anteriores a la 2.34.1. El complemento no configura de forma segura el analizador XML (`DocumentBuilderFactory`) y permite la expansi\u00f3n de entidades externas al procesar archivos .xml de resultados de pruebas. Esto permite a los atacantes leer archivos arbitrarios del sistema de archivos y, potencialmente, activar server-side request forgery (SSRF). La versi\u00f3n 2.34.1 incluye un parche para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"references\":[{\"url\":\"https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-52888\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-24T19:56:24.747546Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-24T19:56:30.244Z\"}}], \"cna\": {\"title\": \"Allure 2\u0027s xunit-xml-plugin Vulnerable to Improper XXE Restriction\", \"source\": {\"advisory\": \"GHSA-h7qf-qmf3-85qg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"allure-framework\", \"product\": \"allure2\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.34.1\"}]}], \"references\": [{\"url\": \"https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg\", \"name\": \"https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7\", \"name\": \"https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611: Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-24T19:45:22.854Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-52888\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-24T19:56:50.479Z\", \"dateReserved\": \"2025-06-20T17:42:25.709Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-24T19:45:22.854Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-H7QF-QMF3-85QG
Vulnerability from github – Published: 2025-06-25 14:14 – Updated: 2025-06-25 14:14
VLAI?
Summary
Allure Report allows Improper XXE Restriction via DocumentBuilderFactory
Details
Summary
A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).
Details
In \allure2-main\plugins\xunit-xml-plugin\src\main\java\io\qameta\allure\xunitxml\XunitXmlPlugin.java the application uses DocumentBuilderFactory without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files.
PoC
To recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine).
- Create a folder called
allure, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however, for the rest of the POC, I will focus on reading system files for better screenshots.
SSRF (replace webhook link with your own)
Reading System Files
- Put the malicious .xml file into the
alluredirectory created previously - Run the following command to run the report
allure generate C:\path\to\directory\allure -o report --clean - To view and confirm the executed payload, run
allure open report - When the report opens, confirm the payload executedby going to
Categories > Product defects > <payload response>
Impact
The explained XXE vulnerability can lead to Arbitrary File Disclosure and Server-Side Request Forgery. This exploitation can also be carried out silently, meaning it can be carried out without user interaction if the tool is automated within an application, and can go undetected with a carefully crafted payload. This could allow a malicious actor to view other source codes which may contain API or product keys, internal application URLs, or other secret items. This makes it an especially high risk when ran within a CI/CD platform.
Severity ?
7.5 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.34.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.qameta.allure.plugins:xunit-xml-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.34.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.34.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.qameta.allure.plugins:junit-xml-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.34.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.34.0"
},
"package": {
"ecosystem": "Maven",
"name": "io.qameta.allure.plugins:trx-plugin"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.34.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-52888"
],
"database_specific": {
"cwe_ids": [
"CWE-611"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-25T14:14:09Z",
"nvd_published_at": "2025-06-24T20:15:26Z",
"severity": "HIGH"
},
"details": "### Summary\nA critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).\n\n### Details\nIn `\\allure2-main\\plugins\\xunit-xml-plugin\\src\\main\\java\\io\\qameta\\allure\\xunitxml\\XunitXmlPlugin.java` the application uses `DocumentBuilderFactory` without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files.\n\n### PoC\nTo recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine). \n\n1. Create a folder called `allure`, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however, for the rest of the POC, I will focus on reading system files for better screenshots.\n##SSRF (replace webhook link with your own)\n\n\n##Reading System Files\n\n\n2. Put the malicious .xml file into the `allure` directory created previously\n3. Run the following command to run the report `allure generate C:\\path\\to\\directory\\allure -o report --clean`\n4. To view and confirm the executed payload, run `allure open report`\n5. When the report opens, confirm the payload executedby going to `Categories \u003e Product defects \u003e \u003cpayload response\u003e`\n\n\n\n\n### Impact\nThe explained XXE vulnerability can lead to Arbitrary File Disclosure and Server-Side Request Forgery. This exploitation can also be carried out silently, meaning it can be carried out without user interaction if the tool is automated within an application, and can go undetected with a carefully crafted payload. This could allow a malicious actor to view other source codes which may contain API or product keys, internal application URLs, or other secret items. This makes it an especially high risk when ran within a CI/CD platform.",
"id": "GHSA-h7qf-qmf3-85qg",
"modified": "2025-06-25T14:14:09Z",
"published": "2025-06-25T14:14:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52888"
},
{
"type": "WEB",
"url": "https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7"
},
{
"type": "PACKAGE",
"url": "https://github.com/allure-framework/allure2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Allure Report allows Improper XXE Restriction via DocumentBuilderFactory"
}
FKIE_CVE-2025-52888
Vulnerability from fkie_nvd - Published: 2025-06-24 20:15 - Updated: 2025-06-26 18:58
Severity ?
Summary
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue."
},
{
"lang": "es",
"value": "Allure 2 es la versi\u00f3n 2.x de Allure Report, una herramienta multiling\u00fce para la generaci\u00f3n de informes de pruebas. Existe una vulnerabilidad cr\u00edtica de Entidad Externa XML (XXE) en el complemento xunit-xml utilizado por Allure 2 en versiones anteriores a la 2.34.1. El complemento no configura de forma segura el analizador XML (`DocumentBuilderFactory`) y permite la expansi\u00f3n de entidades externas al procesar archivos .xml de resultados de pruebas. Esto permite a los atacantes leer archivos arbitrarios del sistema de archivos y, potencialmente, activar server-side request forgery (SSRF). La versi\u00f3n 2.34.1 incluye un parche para este problema."
}
],
"id": "CVE-2025-52888",
"lastModified": "2025-06-26T18:58:14.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-24T20:15:26.700",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…