XML External Entity Vulnerability in Allure Report 2.x by Allure Framework
CVE-2025-52888

7.5HIGH

Key Information:

Vendor: Allure-framework
Status: Allure2
Vendor: CVE Published:; 24 June 2025

🔔 Create Allure-framework Vulnerability Alert

What is CVE-2025-52888?

Allure Report 2.x, developed by Allure Framework, contains a significant XML External Entity (XXE) vulnerability found in the xunit-xml-plugin used for processing test results. This vulnerability arises from the insecure configuration of the XML parser (DocumentBuilderFactory), which permits external entity expansion when handling .xml files. As a result, attackers can exploit this flaw to access arbitrary files on the file system and may also initiate server-side request forgery (SSRF) attacks. A patch addressing this vulnerability has been implemented in version 2.34.1.

Affected Version(s)

allure2 < 2.34.1

References

https://github.com/allure-framework/allure2/security/advi...

x_refsource_CONFIRM

https://github.com/allure-framework/allure2/commit/cbcb33...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2025
Vulnerability Reserved
Jun 20, 2025