XMLUnit for Java Extension Function Vulnerability Allowing Remote Code Execution

A remote code execution vulnerability exists in XMLUnit for Java versions prior to 2.10.0. In the default configuration, the vulnerability arises from the XSLT processor allowing extension functions, which could be exploited to execute arbitrary code via an untrusted stylesheet during XSLT transformations. This issue is particularly concerning because if the stylesheet can be provided externally, it may lead to remote code execution.

Impact

The vulnerability allows for remote code execution when XMLUnit is used to transform data with a stylesheet from an untrusted source.

Reproduction

The vulnerability can be reproduced by using XMLUnit 2.9.1 or earlier to perform an XSLT transformation with an untrusted stylesheet that exploits the enabled extension functions. This can be done by setting up a Java project with XMLUnit 2.9.1, creating a transformation class that uses an external stylesheet known to execute malicious code, and running the transformation.

Remediation

Users should upgrade to XMLUnit for Java version 2.10.0 or later, where the default configuration has been changed to disable extension functions. Instructions for updating XMLUnit can be found in the GitHub repository's release notes.