CVE-2024-31573: 
Java vulnerability analysis and mitigation

XMLUnit for Java before version 2.10.0, in the default configuration, contains a vulnerability that could allow code execution via untrusted XSLT stylesheets. The vulnerability was disclosed on May 1, 2024, and affects the Maven package org.xmlunit:xmlunit-core (GitHub Advisory).

The vulnerability stems from insecure defaults in XMLUnit's XSLT processing configuration where XSLT extension functions were not disabled by default. Prior versions only disabled DTD loading but left extension functions enabled, which could potentially allow arbitrary code execution when processing untrusted stylesheets (GitHub Commit).

When XMLUnit is used to transform data with a stylesheet from an untrusted source, this vulnerability could allow arbitrary code execution. If the stylesheet can be provided externally, this may lead to remote code execution (GitHub Advisory).

Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default configuration has been changed to disable extension functions. For users unable to upgrade, a workaround is available by explicitly using XMLUnit's APIs to pass in a pre-configured TraX TransformerFactory with extension functions disabled via features and attributes. The required setFactory or setTransformerFactory methods have been available since XMLUnit for Java 2.0.0 (GitHub Advisory).