Potential XXE Vulnerability in http4k Could Allow Attackers to Read Local Sensitive Information

CVE-2024-55875

9.8CRITICAL

Key Information

Vendor
Http4k
Status
Http4k
Vendor
CVE Published:
12 December 2024

Badges

👾 Exploit Exists🔴 Public PoC

Summary

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.

Affected Version(s)

http4k = < 5.41.0.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-55875
Created by JAckLosingHeart

Refferences

https://github.com/http4k/http4k/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/http4k/http4k/commit/35297adc6d6aca495...
x_refsource_MISC
https://github.com/http4k/http4k/blob/25696dff2d90206cc1d...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🔴

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)
.