Skip to main content

CVE-2025-52888: CWE-611: Improper Restriction of XML External Entity Reference in allure-framework allure2

High
VulnerabilityCVE-2025-52888cvecve-2025-52888cwe-611
Published: Tue Jun 24 2025 (06/24/2025, 19:45:22 UTC)
Source: CVE Database V5
Vendor/Project: allure-framework
Product: allure2

Description

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.

AI-Powered Analysis

AILast updated: 06/24/2025, 20:19:28 UTC

Technical Analysis

CVE-2025-52888 is a high-severity XML External Entity (XXE) vulnerability affecting the xunit-xml-plugin component of Allure 2, a widely used multi-language test reporting tool. This vulnerability exists in Allure 2 versions prior to 2.34.1 due to improper configuration of the XML parser (DocumentBuilderFactory). Specifically, the parser allows external entity expansion when processing test result XML files, which can be exploited by an attacker to read arbitrary files on the server's filesystem. Additionally, the vulnerability may enable server-side request forgery (SSRF) attacks by causing the server to make unintended HTTP requests. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 7.5 (high), reflecting the ease of exploitation (network vector, low attack complexity) and the significant confidentiality impact, although integrity and availability are not affected. The vulnerability was publicly disclosed on June 24, 2025, and patched in Allure 2 version 2.34.1. No known exploits are currently reported in the wild. The root cause is the failure to disable external entity processing in the XML parser, a common misconfiguration leading to CWE-611 (Improper Restriction of XML External Entity Reference). Attackers can craft malicious XML test result files that, when processed by the vulnerable plugin, trigger the XXE attack. This can lead to sensitive information disclosure and potentially facilitate further attacks via SSRF, such as internal network scanning or accessing internal services.

Potential Impact

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Allure 2 for automated test reporting in their software development lifecycle. The ability to read arbitrary files can lead to exposure of sensitive configuration files, credentials, or intellectual property. SSRF capabilities may allow attackers to pivot into internal networks, potentially compromising internal services or cloud metadata endpoints. Organizations in sectors with strict data protection regulations (e.g., GDPR) face increased compliance risks if sensitive data is leaked. Since Allure 2 is used in continuous integration/continuous deployment (CI/CD) pipelines, exploitation could undermine software integrity indirectly by exposing test environments or build servers. The lack of required authentication and user interaction increases the risk of automated exploitation. While no integrity or availability impacts are directly associated, the confidentiality breach alone can have severe operational and reputational consequences.

Mitigation Recommendations

European organizations should immediately upgrade Allure 2 to version 2.34.1 or later to apply the official patch that disables external entity processing in the XML parser. Until upgrade is possible, organizations should implement strict input validation and sanitization on all XML test result files, ideally rejecting or sandboxing untrusted inputs. Restrict file system permissions for the user running Allure 2 to minimize the impact of arbitrary file reads. Network-level controls should be applied to limit outbound HTTP requests from build and test servers to prevent SSRF exploitation. Monitoring and alerting on unusual file access or network activity from these servers can help detect exploitation attempts. Additionally, organizations should review their CI/CD pipeline security posture, ensuring that only trusted sources can submit test result files and that build environments are isolated. Regular security assessments and code reviews of custom plugins or integrations with Allure 2 are recommended to detect similar misconfigurations.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-06-20T17:42:25.709Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 685b013966faf0c1de3b077a

Added to database: 6/24/2025, 7:49:13 PM

Last enriched: 6/24/2025, 8:19:28 PM

Last updated: 8/15/2025, 5:15:18 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats