CVE-2024-31573

Name of the Vulnerable Software and Affected Versions XMLUnit for Java versions prior to 2.10.0

Description The issue arises from XMLUnit for Java not disabling XSLT extension functions by default when performing XSLT transformations. This could allow arbitrary code to be executed when XMLUnit is used to transform data with an untrusted stylesheet, potentially leading to remote code execution if the stylesheet can be provided externally.

Recommendations For versions prior to 2.10.0, users should upgrade to XMLUnit for Java 2.10.0 where the default has been changed to disable XSLT extension functions. As a temporary workaround, users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX TransformerFactory with extension functions disabled via features and attributes.