CVE-2025-52888: Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

June 25, 2025

A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).

References

github.com/advisories/GHSA-h7qf-qmf3-85qg
github.com/allure-framework/allure2
github.com/allure-framework/allure2/commit/cbcb33719851ff70adce85d38e15d20fc58d4eb7
github.com/allure-framework/allure2/security/advisories/GHSA-h7qf-qmf3-85qg
nvd.nist.gov/vuln/detail/CVE-2025-52888

Code Behaviors & Features

Detect and mitigate CVE-2025-52888 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →