CVE-2025-52888— Allure 2's xunit-xml-plugin Vulnerable to Improper XXE Restriction
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-52888
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Allure 2's xunit-xml-plugin Vulnerable to Improper XXE Restriction
Source: NVD (National Vulnerability Database)
Vulnerability Description
Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Allure Report 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Allure Report是Allure Framework开源的一个灵活、轻量级的多语言测试报告工具。 Allure Report 2 2.34.1之前版本存在代码问题漏洞,该漏洞源于xunit-xml-plugin未安全配置XML解析器,可能导致XXE攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| allure-framework | allure2 | < 2.34.1 | - |
II. Public POCs for CVE-2025-52888
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-52888
请登录查看更多情报信息。
- Improper XXE Restriction · Advisory · allure-framework/allure2 · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2025-52888
IV. Related Vulnerabilities
Same weakness: CWE-611
- CVE-2026-41936
Vvveb < 1.0.8.2 XML External Entity Injection via Import - CVE-2026-40682
Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntr - CVE-2026-6501
ILM Informatique jOpenDocument 代码问题漏洞 - CVE-2025-14543
Improper Restriction of XML External Entity Reference vulner - CVE-2024-13971
Arbitrary File Read and Server Side Request Forgery via XML
V. Comments for CVE-2025-52888
No comments yet