7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-52888

GHSA ID

GHSA-h7qf-qmf3-85qg

EPSS Score

0.1522%

CWE

CWE-611

Published

6/25/2025

Updated

6/25/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-52888

CVE-2025-52888: Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

Summary

A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).

Details

In \allure2-main\plugins\xunit-xml-plugin\src\main\java\io\qameta\allure\xunitxml\XunitXmlPlugin.java the application uses DocumentBuilderFactory without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files.

PoC

To recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine).

Create a folder called allure, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however, for the rest of the POC, I will focus on reading system files for better screenshots. ##SSRF (replace webhook link with your own)

##Reading System Files

Put the malicious .xml file into the allure directory created previously
Run the following command to run the report allure generate C:\path\to\directory\allure -o report --clean
To view and confirm the executed payload, run allure open report
When the report opens, confirm the payload executedby going to Categories > Product defects > <payload response>

Impact

The explained XXE vulnerability can lead to Arbitrary File Disclosure and Server-Side Request Forgery. This exploitation can also be carried out silently, meaning it can be carried out without user interaction if the tool is automated within an application, and can go undetected with a carefully crafted payload. This could allow a malicious actor to view other source codes which may contain API or product keys, internal application URLs, or other secret items. This makes it an especially high risk when ran within a CI/CD platform.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-52888

GHSA ID

GHSA-h7qf-qmf3-85qg

EPSS Score

0.1522%

CWE

CWE-611

Published

6/25/2025

Updated

6/25/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.qameta.allure.plugins:xunit-xml-plugin	maven	<= 2.34.0	2.34.1
io.qameta.allure.plugins:junit-xml-plugin	maven	<= 2.34.0	2.34.1
io.qameta.allure.plugins:trx-plugin	maven	<= 2.34.0	2.34.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic XML External Entity (XXE) injection affecting three different plugins in Allure Framework: xunit-xml-plugin, junit-xml-plugin, and trx-plugin. The root cause is the same across all three plugins: they use the standard Java DocumentBuilderFactory to parse XML files from the test results directory without properly securing the parser. Specifically, they fail to disable Document Type Definitions (DTDs) and external entity expansion.

The patch cbcb33719851ff70adce85d38e15d20fc58d4eb7 addresses this by:

Introducing a custom ClasspathEntityResolver that only allows resolving DTDs from the application's classpath, effectively blocking external entities from remote or local file system locations.
Setting factory.setValidating(false) to disable DTD validation.
Applying this secure configuration (builder.setEntityResolver(new ClasspathEntityResolver())) to the DocumentBuilder in each of the affected plugins before parsing the input XML file.

The vulnerable functions are the ones that instantiate the insecure XML parser and use it to parse user-controlled files. By analyzing the patch, I identified the following methods where the insecure parsing occurs:

io.qameta.allure.xunitxml.XunitXmlPlugin.parseAssemblies
io.qameta.allure.junitxml.JunitXmlPlugin.parseRootElement
io.qameta.allure.trx.TrxPlugin.parseTestRun

These functions are the direct entry points for the vulnerability. When Allure generates a report, it calls these methods to process XML test result files. An attacker can place a malicious XML file containing an XXE payload in the results directory. When the vulnerable function is called, the parser will process the malicious payload, leading to information disclosure (e.g., reading local files like /etc/passwd) or Server-Side Request Forgery (SSRF). The new test cases added in the patch confirm this behavior by attempting to read a local file via an XXE payload and asserting that the file's content is not present in the final report, proving the fix is effective.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry * *riti**l XML *xt*rn*l *ntity (XX*) vuln*r**ility *xists in t** xunit-xml-plu*in us** *y *llur* *. T** plu*in **ils to s**ur*ly *on*i*ur* t** XML p*rs*r (`*o*um*nt*uil**r***tory`) *n* *llows *xt*rn*l *ntity *xp*nsion w**n pro**ssin* t*st

Reasoning

T** vuln*r**ility is * *l*ssi* XML *xt*rn*l *ntity (XX*) inj**tion *****tin* t*r** *i***r*nt plu*ins in *llur* *r*m*work: `xunit-xml-plu*in`, `junit-xml-plu*in`, *n* `trx-plu*in`. T** root **us* is t** s*m* **ross *ll t*r** plu*ins: t**y us* t** st*n

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-52888: Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

Summary

Details

PoC

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI