CVE-2024-52807 Overview
CVE-2024-52807 is an XML External Entity (XXE) injection vulnerability in the HL7 FHIR IG Publisher, a tool used to generate standard FHIR Implementation Guides from a set of input files. Versions prior to 1.7.4 perform XSLT transforms across multiple components without disabling external entity resolution. An attacker who can submit a crafted XML file with a malicious Document Type Definition (DTD) can force the parser to disclose data from the host filesystem. The flaw is tracked under [CWE-611] and a prior patch attempt provided incomplete remediation, leaving exploitable parser paths exposed.
Critical Impact
Remote attackers without authentication can read arbitrary files on the host running org.hl7.fhir.publisher, exposing sensitive healthcare configuration data and credentials.
Affected Products
- HL7 FHIR IG Publisher (org.hl7.fhir.publisher) versions prior to 1.7.4
- Build pipelines and hosted services that accept user-supplied XML for FHIR Implementation Guide generation
- Downstream tooling embedding the vulnerable XSLT transform components
Discovery Timeline
- 2025-01-24 - CVE-2024-52807 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-52807
Vulnerability Analysis
The HL7 FHIR IG Publisher applies XSLT transformations to user-supplied XML inputs during Implementation Guide generation. The underlying XML parsers used by these transforms accept external entity declarations defined in inline DTDs. When the publisher processes XML containing a malicious DTD such as <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>, the parser resolves the entity and embeds the referenced file contents into the resulting output document.
This vulnerability matters in deployments where external clients can submit XML to a hosted instance of the publisher. The output document then leaks sensitive host data back to the attacker. An earlier release attempted to address XXE in some code paths, but new testing revealed XSLT transform components that still left external entity resolution enabled.
Root Cause
The root cause is improper restriction of XML external entity references during XSLT processing. Multiple XSLT transform components did not configure their parsers with FEATURE_SECURE_PROCESSING enabled or explicitly disable external-general-entities and external-parameter-entities. The incomplete fix in the previous release left a subset of these parser instances exposed.
Attack Vector
An unauthenticated remote attacker submits an XML document containing a crafted inline DTD with SYSTEM entity declarations. When the publisher transforms the document, the parser fetches the referenced URI, which can be a local file path or an internal network resource. The expanded entity contents are returned in the generated FHIR artifact, enabling file disclosure and server-side request forgery against internal services.
No verified exploitation code is published. Refer to the GitHub Security Advisory GHSA-8c3x-hq82-gjcm for vendor technical detail.
Detection Methods for CVE-2024-52807
Indicators of Compromise
- Inbound XML payloads containing <!DOCTYPE declarations with SYSTEM or PUBLIC external entity references targeting file://, http://, or ftp:// URIs
- FHIR IG Publisher output artifacts containing fragments of host filesystem content such as /etc/passwd, /proc/self/environ, or private key material
- Outbound network connections from the publisher process to unexpected internal hosts during XML processing
Detection Strategies
- Inspect application logs for XML parsing events that resolve external entities or reference non-local URIs during XSLT transforms
- Apply web application firewall rules that flag DTD declarations and ENTITY keywords in XML request bodies submitted to publisher endpoints
- Compare deployed org.hl7.fhir.publisher version against 1.7.4 across CI/CD systems and build agents
Monitoring Recommendations
- Track egress traffic from build hosts running the publisher and alert on connections to filesystem URI handlers or unexpected destinations
- Monitor for unusual read access to sensitive files such as /etc/shadow, SSH keys, or cloud credential files by the JVM process hosting the publisher
- Enable verbose XML parser logging in staging environments to surface DTD processing attempts during validation
How to Mitigate CVE-2024-52807
Immediate Actions Required
- Upgrade org.hl7.fhir.publisher to version 1.7.4 or later across all build pipelines, hosted services, and developer workstations
- Audit historical publisher output artifacts for unexpected embedded file content that could indicate prior exploitation
- Restrict network egress from publisher hosts to only the endpoints required for IG generation
Patch Information
The vulnerability is fixed in version 1.7.4. The remediation is implemented in commit 3560de2. Full changes between 1.7.3 and 1.7.4 are visible in the GitHub version comparison. The HL7 maintainers state no known workarounds exist outside of upgrading.
Workarounds
- No vendor-supplied workarounds are available. Upgrading to 1.7.4 is required.
- As a compensating control, place the publisher behind an input gateway that strips <!DOCTYPE declarations from submitted XML before processing
- Run the publisher in an isolated, least-privilege container with no access to sensitive filesystem paths or internal network ranges
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
