CVE-2025-52888 is a high-severity XML External Entity (XXE) vulnerability affecting the xunit-xml-plugin component of Allure 2, a widely used multi-language test reporting tool. This vulnerability exists in Allure 2 versions prior to 2.34.1 due to improper configuration of the XML parser (DocumentBuilderFactory). Specifically, the parser allows external entity expansion when processing test result XML files, which can be exploited by an attacker to read arbitrary files on the server's filesystem. Additionally, the vulnerability may enable server-side request forgery (SSRF) attacks by causing the server to make unintended HTTP requests. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of exploitation (network vector, low attack complexity) and the significant confidentiality impact, although integrity and availability are not affected. The vulnerability was publicly disclosed on June 24, 2025, and patched in Allure 2 version 2.34.1. No known exploits are currently reported in the wild. The root cause is the failure to disable external entity processing in the XML parser, a common misconfiguration leading to CWE-611 (Improper Restriction of XML External Entity Reference). Attackers can craft malicious XML test result files that, when processed by the vulnerable plugin, trigger the XXE attack. This can lead to sensitive information disclosure and potentially facilitate further attacks via SSRF, such as internal network scanning or accessing internal services.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Allure 2 for automated test reporting in their software development lifecycle. The ability to read arbitrary files can lead to exposure of sensitive configuration files, credentials, or intellectual property. SSRF capabilities may allow attackers to pivot into internal networks, potentially compromising internal services or cloud metadata endpoints. Organizations in sectors with strict data protection regulations (e.g., GDPR) face increased compliance risks if sensitive data is leaked. Since Allure 2 is used in continuous integration/continuous deployment (CI/CD) pipelines, exploitation could undermine software integrity indirectly by exposing test environments or build servers. The lack of required authentication and user interaction increases the risk of automated exploitation. While no integrity or availability impacts are directly associated, the confidentiality breach alone can have severe operational and reputational consequences.

European organizations should immediately upgrade Allure 2 to version 2.34.1 or later to apply the official patch that disables external entity processing in the XML parser. Until upgrade is possible, organizations should implement strict input validation and sanitization on all XML test result files, ideally rejecting or sandboxing untrusted inputs. Restrict file system permissions for the user running Allure 2 to minimize the impact of arbitrary file reads. Network-level controls should be applied to limit outbound HTTP requests from build and test servers to prevent SSRF exploitation. Monitoring and alerting on unusual file access or network activity from these servers can help detect exploitation attempts. Additionally, organizations should review their CI/CD pipeline security posture, ensuring that only trusted sources can submit test result files and that build environments are isolated. Regular security assessments and code reviews of custom plugins or integrations with Allure 2 are recommended to detect similar misconfigurations.