http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.http4k:http4k-format-xml(Maven) | 5.0.0.0 | 5.41.0.0 | N/A |
| org.http4k:http4k-format-xml(Maven) | 0 | 4.50.0.0 | N/A |
CVSS Metrics
