CVE-2025-52888: CWE-611: Improper Restriction of XML External Entity Reference in allure-framework allure2
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
AI Analysis
Technical Summary
CVE-2025-52888 is a high-severity XML External Entity (XXE) vulnerability affecting the xunit-xml-plugin component of Allure 2, a widely used multi-language test reporting tool. This vulnerability exists in Allure 2 versions prior to 2.34.1 due to improper configuration of the XML parser (DocumentBuilderFactory). Specifically, the parser allows external entity expansion when processing test result XML files, which can be exploited by an attacker to read arbitrary files on the server's filesystem. Additionally, the vulnerability may enable server-side request forgery (SSRF) attacks by causing the server to make unintended HTTP requests. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of exploitation (network vector, low attack complexity) and the significant confidentiality impact, although integrity and availability are not affected. The vulnerability was publicly disclosed on June 24, 2025, and patched in Allure 2 version 2.34.1. No known exploits are currently reported in the wild. The root cause is the failure to disable external entity processing in the XML parser, a common misconfiguration leading to CWE-611 (Improper Restriction of XML External Entity Reference). Attackers can craft malicious XML test result files that, when processed by the vulnerable plugin, trigger the XXE attack. This can lead to sensitive information disclosure and potentially facilitate further attacks via SSRF, such as internal network scanning or accessing internal services.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on Allure 2 for automated test reporting in their software development lifecycle. The ability to read arbitrary files can lead to exposure of sensitive configuration files, credentials, or intellectual property. SSRF capabilities may allow attackers to pivot into internal networks, potentially compromising internal services or cloud metadata endpoints. Organizations in sectors with strict data protection regulations (e.g., GDPR) face increased compliance risks if sensitive data is leaked. Since Allure 2 is used in continuous integration/continuous deployment (CI/CD) pipelines, exploitation could undermine software integrity indirectly by exposing test environments or build servers. The lack of required authentication and user interaction increases the risk of automated exploitation. While no integrity or availability impacts are directly associated, the confidentiality breach alone can have severe operational and reputational consequences.
Mitigation Recommendations
European organizations should immediately upgrade Allure 2 to version 2.34.1 or later to apply the official patch that disables external entity processing in the XML parser. Until upgrade is possible, organizations should implement strict input validation and sanitization on all XML test result files, ideally rejecting or sandboxing untrusted inputs. Restrict file system permissions for the user running Allure 2 to minimize the impact of arbitrary file reads. Network-level controls should be applied to limit outbound HTTP requests from build and test servers to prevent SSRF exploitation. Monitoring and alerting on unusual file access or network activity from these servers can help detect exploitation attempts. Additionally, organizations should review their CI/CD pipeline security posture, ensuring that only trusted sources can submit test result files and that build environments are isolated. Regular security assessments and code reviews of custom plugins or integrations with Allure 2 are recommended to detect similar misconfigurations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
CVE-2025-52888: CWE-611: Improper Restriction of XML External Entity Reference in allure-framework allure2
Description
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-52888 is a high-severity XML External Entity (XXE) vulnerability affecting the xunit-xml-plugin component of Allure 2, a widely used multi-language test reporting tool. This vulnerability exists in Allure 2 versions prior to 2.34.1 due to improper configuration of the XML parser (DocumentBuilderFactory). Specifically, the parser allows external entity expansion when processing test result XML files, which can be exploited by an attacker to read arbitrary files on the server's filesystem. Additionally, the vulnerability may enable server-side request forgery (SSRF) attacks by causing the server to make unintended HTTP requests. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of exploitation (network vector, low attack complexity) and the significant confidentiality impact, although integrity and availability are not affected. The vulnerability was publicly disclosed on June 24, 2025, and patched in Allure 2 version 2.34.1. No known exploits are currently reported in the wild. The root cause is the failure to disable external entity processing in the XML parser, a common misconfiguration leading to CWE-611 (Improper Restriction of XML External Entity Reference). Attackers can craft malicious XML test result files that, when processed by the vulnerable plugin, trigger the XXE attack. This can lead to sensitive information disclosure and potentially facilitate further attacks via SSRF, such as internal network scanning or accessing internal services.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on Allure 2 for automated test reporting in their software development lifecycle. The ability to read arbitrary files can lead to exposure of sensitive configuration files, credentials, or intellectual property. SSRF capabilities may allow attackers to pivot into internal networks, potentially compromising internal services or cloud metadata endpoints. Organizations in sectors with strict data protection regulations (e.g., GDPR) face increased compliance risks if sensitive data is leaked. Since Allure 2 is used in continuous integration/continuous deployment (CI/CD) pipelines, exploitation could undermine software integrity indirectly by exposing test environments or build servers. The lack of required authentication and user interaction increases the risk of automated exploitation. While no integrity or availability impacts are directly associated, the confidentiality breach alone can have severe operational and reputational consequences.
Mitigation Recommendations
European organizations should immediately upgrade Allure 2 to version 2.34.1 or later to apply the official patch that disables external entity processing in the XML parser. Until upgrade is possible, organizations should implement strict input validation and sanitization on all XML test result files, ideally rejecting or sandboxing untrusted inputs. Restrict file system permissions for the user running Allure 2 to minimize the impact of arbitrary file reads. Network-level controls should be applied to limit outbound HTTP requests from build and test servers to prevent SSRF exploitation. Monitoring and alerting on unusual file access or network activity from these servers can help detect exploitation attempts. Additionally, organizations should review their CI/CD pipeline security posture, ensuring that only trusted sources can submit test result files and that build environments are isolated. Regular security assessments and code reviews of custom plugins or integrations with Allure 2 are recommended to detect similar misconfigurations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-20T17:42:25.709Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 685b013966faf0c1de3b077a
Added to database: 6/24/2025, 7:49:13 PM
Last enriched: 6/24/2025, 8:19:28 PM
Last updated: 8/6/2025, 3:32:48 AM
Views: 15
Related Threats
CVE-2025-9010: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9009: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-31961: CWE-1220 Insufficient Granularity of Access Control in HCL Software Connections
LowCVE-2025-9008: SQL Injection in itsourcecode Online Tour and Travel Management System
MediumCVE-2025-9007: Buffer Overflow in Tenda CH22
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.