Update dependency org.assertj:assertj-core to v3.27.7 [SECURITY] #9

Open
renovate wants to merge 1 commit from renovate/maven-org.assertj-assertj-core-vulnerability into main
Member

This PR contains the following updates:

Package Type Update Change
org.assertj:assertj-core (source) dependencies minor 3.24.23.27.7

⚠️ Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion

CVE-2026-24400 / GHSA-rqfh-9r24-8c9r

More information

Details

An XML External Entity (XXE) vulnerability exists in org.assertj.core.util.xml.XmlStringPrettyFormatter: the toXmlDocument(String) method initializes DocumentBuilderFactory with default settings, without disabling DTDs or external entities. This formatter is used by the isXmlEqualTo(CharSequence) assertion for CharSequence values.

An application is vulnerable only when it uses untrusted XML input with one of the following methods:

  • isXmlEqualTo(CharSequence) from org.assertj.core.api.AbstractCharSequenceAssert
  • xmlPrettyFormat(String) from org.assertj.core.util.xml.XmlStringPrettyFormatter
Impact

If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could:

  • Read arbitrary local files via file:// URIs (e.g., /etc/passwd, application configuration files)
  • Perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs
  • Cause Denial of Service via "Billion Laughs" entity expansion attacks
Mitigation

isXmlEqualTo(CharSequence) has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference:

  1. Replace isXmlEqualTo(CharSequence) with XMLUnit, or
  2. Upgrade to version 3.27.7, or
  3. Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with untrusted input.

XmlStringPrettyFormatter has historically been considered a utility for isXmlEqualTo(CharSequence) rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement.

References

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [org.assertj:assertj-core](https://assertj.github.io/doc/#assertj-core) ([source](https://github.com/assertj/assertj)) | dependencies | minor | `3.24.2` → `3.27.7` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the [Dependency Dashboard](issues/3) for more information. --- ### AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion [CVE-2026-24400](https://nvd.nist.gov/vuln/detail/CVE-2026-24400) / [GHSA-rqfh-9r24-8c9r](https://github.com/advisories/GHSA-rqfh-9r24-8c9r) <details> <summary>More information</summary> #### Details An XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with one of the following methods: - `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` - `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter` ##### Impact If untrusted XML input is processed by the methods mentioned above (e.g., in test environments handling external fixture files), an attacker could: - **Read arbitrary local files** via `file://` URIs (e.g., `/etc/passwd`, application configuration files) - **Perform Server-Side Request Forgery (SSRF)** via HTTP/HTTPS URIs - **Cause Denial of Service** via "Billion Laughs" entity expansion attacks ##### Mitigation `isXmlEqualTo(CharSequence)` has been deprecated in favor of [XMLUnit](https://www.xmlunit.org/) in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: 1. Replace `isXmlEqualTo(CharSequence)` with XMLUnit, or 2. Upgrade to version 3.27.7, or 3. Avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. ##### References - [CWE-611: Improper Restriction of XML External Entity Reference](https://cwe.mitre.org/data/definitions/611.html) - [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) #### Severity - CVSS Score: 8.2 / 10 (High) - Vector String: `CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N` #### References - [https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r](https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r) - [https://nvd.nist.gov/vuln/detail/CVE-2026-24400](https://nvd.nist.gov/vuln/detail/CVE-2026-24400) - [https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a](https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a) - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html) - [https://github.com/assertj/assertj](https://github.com/assertj/assertj) - [https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7](https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-rqfh-9r24-8c9r) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
kayos force-pushed renovate/maven-org.assertj-assertj-core-vulnerability from a28cea5df7 to d55da4d86e 2026-06-28 22:01:57 -07:00 Compare
Author
Member

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

### Edited/Blocked Notification Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠️ **Warning**: custom changes will be lost.
Some checks failed
Checking for spelling errors / rojopolis/spellcheck (push) Has been cancelled
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/maven-org.assertj-assertj-core-vulnerability:renovate/maven-org.assertj-assertj-core-vulnerability
git checkout renovate/maven-org.assertj-assertj-core-vulnerability

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main
git merge --no-ff renovate/maven-org.assertj-assertj-core-vulnerability
git checkout renovate/maven-org.assertj-assertj-core-vulnerability
git rebase main
git checkout main
git merge --ff-only renovate/maven-org.assertj-assertj-core-vulnerability
git checkout renovate/maven-org.assertj-assertj-core-vulnerability
git rebase main
git checkout main
git merge --no-ff renovate/maven-org.assertj-assertj-core-vulnerability
git checkout main
git merge --squash renovate/maven-org.assertj-assertj-core-vulnerability
git checkout main
git merge --ff-only renovate/maven-org.assertj-assertj-core-vulnerability
git checkout main
git merge renovate/maven-org.assertj-assertj-core-vulnerability
git push origin main
Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Sulkta-OSS/dynmap-neoforge#9
No description provided.