A critical XML External Entity (XXE) Injection vulnerability, identified as CVE-2024-55875, has been discovered in the http4k toolkit, a lightweight HTTP framework written in Kotlin. With a CVSS score of 9.8, this vulnerability poses significant risks, including sensitive data exposure, Server-Side Request Forgery (SSRF), and, under certain circumstances, remote code execution.
The vulnerability arises from insecure configuration in the DocumentBuilder used to parse XML data. The DocumentBuilderFactory in http4k lacks secure settings to disable external entities, making it possible for malicious actors to inject and execute harmful XML payloads.
As noted in the vulnerability disclosure, “XML contents is parsed with DocumentBuilder without security settings on or external entity enabled,” leaving applications that use this feature open to exploitation.
If exploited, the vulnerability can allow attackers to:
- Access Sensitive Information: Read local server files such as configuration files, environment variables, and other sensitive data.
- Initiate SSRF Attacks: Redirect the server to unauthorized endpoints, potentially exposing internal services to external attackers.
- Execute Arbitrary Code: In specific scenarios, attackers could execute malicious commands or scripts on the server.
The following versions of http4k are affected:
- Versions <= 5.40.0.0
- Versions <= 4.49.0.0
The issue has been resolved in:
- Version 5.41.0.0
- Version 4.50.0.0
A PoC exploit demonstrates how attackers can trigger SSRF using the following curl command:
This payload exploits the insecure XML parsing feature of http4k to perform unauthorized actions.