Play AppSec WarGames
Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.
Http4k XML External Entity Injection (XXE)
In December 2024, a critical XML External Entity (XXE) injection vulnerability was discovered in the http4k toolkit, a popular functional HTTP framework for Kotlin applications. The issue, designated as CVE-2024-55875, stems from the insecure handling of XML payloads in incoming requests. Specifically, http4k used Java’s DocumentBuilder to parse XML without configuring it to disable potentially dangerous features like external entity resolution. As a result, attackers could exploit this oversight to inject malicious XML content and leverage XXE attacks.
Impact and Mitigation
Even though no public incidents have been reported exploiting this specific vulnerability, the underlying vulnerability had significant potential. If left unaddressed, insecure XML parsing using JAXBContext and XMLInputFactory could allow attackers to craft malicious payloads, leading to severe consequences depending on the runtime environment, such as unauthorised access to sensitive server files, Server-Side Request Forgery (SSRF), or even arbitrary code execution in extreme scenarios. This elevated the severity of the vulnerability, making it crucial for developers using affected versions of http4k to take immediate action.
We made a challenge reproducing this vulnerability, check it out:
Available for free via the Weekly Challenge until 21st May
