CVE-2025-52888: 
Java vulnerability analysis and mitigation

A critical XML External Entity (XXE) vulnerability (CVE-2025-52888) was discovered in Allure 2, a multi-language test reporting tool. The vulnerability affects versions prior to 2.34.1, specifically impacting the xunit-xml-plugin component. The issue was disclosed on June 24, 2025, and stems from improper configuration of the XML parser when processing test result .xml files (GitHub Advisory, NVD).

The vulnerability is classified as CWE-611 (Improper Restriction of XML External Entity Reference) and has received a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue occurs in the DocumentBuilderFactory implementation where the XML parser is not securely configured, allowing external entity expansion during the processing of test result .xml files (GitHub Advisory).

The vulnerability enables attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). This is particularly concerning in CI/CD environments where it could be exploited silently without user interaction. Attackers could potentially access sensitive information such as API keys, product keys, internal application URLs, or other secret items (GitHub Advisory, Wiz).

The vulnerability has been patched in Allure 2 version 2.34.1. Users are strongly advised to upgrade to this version or later to address the security issue. The fix involves proper configuration of the XML parser to prevent external entity expansion (GitHub Advisory, GitHub Commit).