
We found results for “”
CVE-2025-52888
Good to know:


Date: June 24, 2025
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser ("DocumentBuilderFactory") and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Improper Restriction of XML External Entity Reference
CWE-611Top Fix

Upgrade Version
Upgrade to version io.qameta.allure.plugins:xunit-xml-plugin:2.34.1;io.qameta.allure.plugins:xunit-xml-plugin:2.34.1;io.qameta.allure.plugins:trx-plugin:2.34.1;io.qameta.allure.plugins:trx-plugin:2.34.1;io.qameta.allure.plugins:junit-xml-plugin:2.34.1;io.qameta.allure.plugins:junit-xml-plugin:2.34.1;https://github.com/allure-framework/allure2.git - 2.34.1
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |