CVE-2025-52888

Name of the Vulnerable Software and Affected Versions: Allure 2 versions prior to 2.34.1

Description: A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (DocumentBuilderFactory) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF).

Recommendations: For versions prior to 2.34.1, update to version 2.34.1 to resolve the issue. As a temporary workaround, consider restricting access to the xunit-xml-plugin to minimize the risk of exploitation. Avoid using the DocumentBuilderFactory with default settings in the affected plugin until the issue is resolved.