CVE-2024-55875

Name of the Vulnerable Software and Affected Versions http4k versions prior to 5.41.0.0

Description The issue is related to an XXE (XML External Entity Injection) vulnerability when http4k handles malicious XML contents within requests. This could allow attackers to read local sensitive information on the server, trigger Server-side Request Forgery, and even execute code under some circumstances.

Recommendations To resolve the issue, update to version 5.41.0.0 or later, as this version contains a patch for the problem. As a temporary workaround, consider disabling the XML parsing feature in http4k until a patch is applied. Restrict access to the XML handling module to minimize the risk of exploitation. Avoid using the xmlLens function in the affected API endpoint until the issue is resolved.