CVE-2024-55875 Overview
CVE-2024-55875 is an XML External Entity (XXE) Injection vulnerability in http4k, a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, http4k improperly handles malicious XML content within HTTP requests, enabling attackers to exploit XXE vulnerabilities. This security flaw allows threat actors to read sensitive local files from the server, trigger Server-Side Request Forgery (SSRF) attacks, and potentially achieve remote code execution under certain conditions.
Critical Impact
This XXE vulnerability allows unauthenticated remote attackers to read arbitrary local files, perform SSRF attacks, and potentially execute code on vulnerable http4k servers processing untrusted XML input.
Affected Products
- http4k versions prior to 5.41.0.0
- Applications using http4k's XML parsing functionality
- Kotlin HTTP applications built with vulnerable http4k versions
Discovery Timeline
- 2024-12-12 - CVE-2024-55875 published to NVD
- 2024-12-13 - Last updated in NVD database
Technical Details for CVE-2024-55875
Vulnerability Analysis
The vulnerability exists in http4k's XML parsing module, specifically in the XML format handling code. When processing XML content from incoming HTTP requests, the library fails to properly disable external entity processing in the underlying XML parser configuration. This allows attackers to craft malicious XML payloads containing external entity declarations that reference local files, internal network resources, or other sensitive data sources.
The vulnerable code path is located in the Xml.kt file within the core/format/xml module. When XML content is parsed without proper security configurations, the DocumentBuilder processes DTD declarations and resolves external entities, leading to information disclosure and potential further exploitation.
Root Cause
The root cause of this vulnerability is the lack of secure XML parser configuration in http4k's XML handling code. The XML parser was not configured to disable DOCTYPE declarations, external general entities, external parameter entities, or external DTD loading. This insecure default configuration allows XML External Entity attacks when processing untrusted XML input. The fix applied in version 5.41.0.0 adds proper security features to the DocumentBuilderFactory to prevent XXE attacks.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can send a specially crafted HTTP request containing malicious XML content to any endpoint that processes XML using the vulnerable http4k library. The attack requires no user interaction and can be executed with low complexity.
Typical XXE attack scenarios include:
Local File Disclosure: Attackers define external entities pointing to local files like /etc/passwd or application configuration files, which are then included in the XML response or error messages.
SSRF Attacks: External entities can reference internal network URLs, allowing attackers to probe internal services, access metadata endpoints, or pivot to other systems.
Remote Code Execution: In certain configurations where the server has access to specific protocols or vulnerable dependencies, XXE can be chained with other techniques to achieve code execution.
The vulnerability mechanism involves crafting XML payloads with DOCTYPE declarations that define external entities. When the vulnerable parser processes such content, it resolves these entities and includes their contents in the document. For detailed technical information, see the GitHub Security Advisory GHSA-7mj5-hjjj-8rgw.
Detection Methods for CVE-2024-55875
Indicators of Compromise
- Unusual HTTP requests containing XML payloads with DOCTYPE declarations and ENTITY definitions
- Web server logs showing requests with <!DOCTYPE and <!ENTITY patterns in request bodies
- Access attempts to sensitive local files like /etc/passwd, /etc/shadow, or application configuration files from the web application process
- Outbound connections from web application servers to unexpected internal or external hosts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XML payloads containing DOCTYPE declarations and external entity references
- Monitor application logs for XML parsing errors or unusual file access patterns from the http4k application
- Deploy network monitoring to detect SSRF attempts originating from application servers to internal infrastructure
- Use SentinelOne Singularity platform to detect and alert on suspicious file access or network connections from Java/Kotlin applications
Monitoring Recommendations
- Enable verbose logging for XML parsing operations in http4k applications
- Configure alerting for any HTTP requests containing <!DOCTYPE or <!ENTITY strings in request bodies
- Monitor for abnormal outbound network traffic from application servers, particularly to internal IP ranges or cloud metadata endpoints
- Implement file integrity monitoring on sensitive configuration files that could be targeted by XXE attacks
How to Mitigate CVE-2024-55875
Immediate Actions Required
- Upgrade http4k to version 5.41.0.0 or later immediately
- Review application code for any custom XML parsing that may bypass http4k's updated security configurations
- Implement input validation to reject XML content containing DOCTYPE declarations at the application perimeter
- Deploy WAF rules to block XXE attack patterns while patch deployment is in progress
Patch Information
The http4k maintainers released version 5.41.0.0 which contains the security fix for this vulnerability. The patch modifies the XML parser configuration to disable external entity processing. The fix can be reviewed in the GitHub commit. Organizations should upgrade to this version or later by updating their dependency management configuration (Maven, Gradle, etc.).
For reference, the vulnerable code location is in the Xml.kt format code.
Workarounds
- If immediate upgrade is not possible, implement a request filter that strips or rejects XML content containing DOCTYPE declarations before it reaches the http4k XML parser
- Deploy a reverse proxy or WAF in front of vulnerable applications to filter malicious XML payloads
- Disable XML processing endpoints temporarily if they are not business-critical
- Implement network segmentation to limit the impact of potential SSRF attacks originating from vulnerable servers
# Gradle dependency update example
# In build.gradle.kts, update http4k dependency:
# implementation("org.http4k:http4k-core:5.41.0.0")
# implementation("org.http4k:http4k-format-xml:5.41.0.0")
# Verify installed version after update
./gradlew dependencies | grep http4k
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
