Skip to content

Fix CVE-2024-31573: upgrade xmlunit to 2.10.0#56

Open
micheleh wants to merge 1 commit intomasterfrom
fix/cve-2024-31573-xmlunit
Open

Fix CVE-2024-31573: upgrade xmlunit to 2.10.0#56
micheleh wants to merge 1 commit intomasterfrom
fix/cve-2024-31573-xmlunit

Conversation

@micheleh
Copy link
Copy Markdown
Collaborator

@micheleh micheleh commented Apr 5, 2026
edited
Loading

Summary

  • Replaced xmlunit:xmlunit:1.6 with org.xmlunit:xmlunit-legacy:2.10.0 to
    remediate CVE-2024-31573 (insecure XSLT extension function defaults)
  • xmlunit-legacy provides the same org.custommonkey.xmlunit.* API — no code
    changes required
  • Added <scope>test</scope> since the dependency is only used in integration
    tests, keeping it out of the shipped fat JAR

Test plan

  • mvn compile test-compile — compiles cleanly
  • mvn test — all unit tests pass
  • mvn dependency:tree confirms xmlunit-core:2.10.0 (with the fix) is
    resolved and old xmlunit:1.6 is gone

@micheleh @claude
Fix CVE-2024-31573: upgrade xmlunit 1.6 to xmlunit-legacy 2.10.0
090afc3 
The old xmlunit:xmlunit:1.6 artifact has insecure defaults when
processing XSLT stylesheets (CVE-2024-31573), which can lead to
arbitrary code execution with untrusted input. Replace with
org.xmlunit:xmlunit-legacy:2.10.0, a drop-in API-compatible wrapper
around the fixed xmlunit-core 2.10.0. Also added test scope since
xmlunit is only used in integration tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@micheleh micheleh requested a review from nissimshitrit April 5, 2026 07:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nissimshitrit nissimshitrit Awaiting requested review from nissimshitrit

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@micheleh