CVE-2024-55875: http4k has a potential XXE (XML External Entity Injection) vulnerability
http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class (SSRF, local-file disclosure, code execution) by setting `ACCESS_EXTERNAL_DTD=""`, `ACCESS_EXTERNAL_SCHEMA=""`, and `isExpandEntityReferences=false` on the default `DocumentBuilderFactory`. A residual gap remained: the parser still accepted documents containing `<!DOCTYPE>` declarations even though external entity resolution was blocked. This left open billion-laughs-style internal entity expansion DoS attacks against any application using `Body.xml()` or `Document.asXmlDocument()` on untrusted XML. v6.50.0.0 closes this residual by adding `disallow-doctype-decl=true` and `FEATURE_SECURE_PROCESSING=true` to `defaultXmlParsingConfig`. Any document containing a `<!DOCTYPE>` is now rejected at parse time.
Security readout for executives and security teams
Plain-English summary
Applications using http4k to parse untrusted XML may be exposed to serious XML parser attacks. Sources say affected versions are before 6.50.0.0. Older exposure included external-entity risks such as sensitive file disclosure and SSRF; a later residual gap allowed denial-of-service through DOCTYPE-based internal entity expansion.
Executive priority
Treat as urgent for internet-facing systems that accept XML. The business risk is data exposure, server-side request forgery, and service outage. Patch vulnerable http4k dependencies and verify XML parsing behavior.
Technical view
CVE-2024-55875 affects http4k XML parsing before 6.50.0.0, especially Body.xml() and Document.asXmlDocument() on untrusted XML. Earlier fixes blocked external DTD and schema access and entity expansion, but still allowed DOCTYPE declarations. Version 6.50.0.0 adds disallow-doctype-decl and secure-processing behavior to defaultXmlParsingConfig.
Likely exposure
Exposure is likely in Kotlin services using vulnerable http4k versions and parsing client-controlled XML request bodies. Services that do not accept XML or do not use http4k XML helpers are less likely exposed.
Exploitation context
The provided bundle does not show known active exploitation, and KEV is false. The issue is still high urgency because it is network-reachable, unauthenticated, low-complexity, and can affect confidentiality, integrity, and availability.
Researcher notes
The sources distinguish between the original external-entity fix and the remaining DOCTYPE acceptance gap. Avoid assuming every affected version has identical impact; validate actual dependency version, parser configuration, and use of http4k XML helpers.
Mitigation direction
Upgrade http4k to version 6.50.0.0 or later.
Prioritize externally reachable services that parse XML request bodies.
Reduce or disable untrusted XML ingestion where it is not required.
Follow http4k advisory guidance for supported branches and parser behavior.
Add request size and timeout controls around XML endpoints.
Validation and detection
Inventory deployed services for http4k versions below 6.50.0.0.
Search code for Body.xml() and Document.asXmlDocument() usage.
Map XML parsing paths to public or partner-facing endpoints.
Confirm upgraded builds reject XML documents containing DOCTYPE declarations.
Review logs for XML parser errors, SSRF indicators, or resource exhaustion.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-918: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references SSRF or metadata access, so cloud discovery and credential material review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.