Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

Summary A critical XML External Entity XXE vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser DocumentBuilderFactory and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitra...

GHSA-H7QF-QMF3-85QG Allure Report allows Improper XXE Restriction via DocumentBuilderFactory

Summary A critical XML External Entity XXE vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser DocumentBuilderFactory and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitra...

CVE-2025-52888

CVE-2025-52888 affects Allure 2’s xunit-xml-plugin (pre-2.34.1). The vulnerability arises from insecure configuration of the XML parser (DocumentBuilderFactory), allowing external entity expansion during processing of test result XML files. Impact: arbitrary file disclosure and potential SSRF. Re...

CVE-2025-52888 Allure 2's xunit-xml-plugin Vulnerable to Improper XXE Restriction

Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity XXE vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser DocumentBuilderFactory and...