Scan free
CRITICALCVE-2024-55875CVSS 9.8

CVE-2024-55875: XXE Injection in http4k

Platform

kotlin

Component

http4k

Fixed in

5.41.1

AI Confidence: highNVDEPSS 5.5%Reviewed: May 2026
View on NVD
Save

CVE-2024-55875 describes an XXE (XML External Entity Injection) vulnerability affecting http4k, a Kotlin HTTP toolkit. This vulnerability allows attackers to exploit improper handling of malicious XML content within requests, potentially leading to sensitive data exposure and code execution. Versions of http4k prior to 5.41.0.0 are vulnerable, and a patch has been released.

Impact and Attack Scenarios

The XXE vulnerability in http4k poses a significant risk. An attacker can leverage this flaw to read arbitrary files from the server's file system, potentially exposing sensitive configuration data, API keys, or source code. Furthermore, the vulnerability enables Server-Side Request Forgery (SSRF), allowing the attacker to make requests to internal or external resources on behalf of the server. In certain scenarios, successful exploitation could even lead to remote code execution, granting the attacker complete control over the affected system. The high CVSS score of 9.8 reflects the severity of this potential impact.

Exploitation Context

CVE-2024-55875 was publicly disclosed on December 12, 2024. While no active exploitation campaigns have been publicly reported, the vulnerability's severity and the availability of a public proof-of-concept increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations should prioritize patching.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

5.46% (90% percentile)

CISA SSVC

Exploitationpoc
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componenthttp4k
Vendorhttp4k
Affected rangeFixed in
< 5.41.0.0 – < 5.41.0.05.41.1

Weakness Classification (CWE)

CWE-200CWE-611CWE-918

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-55875 is to upgrade to version 5.41.0.0 or later of http4k. If upgrading is not immediately feasible, consider implementing input validation and sanitization to filter out potentially malicious XML content. Web application firewalls (WAFs) configured to detect and block XXE attacks can provide an additional layer of defense. Review and restrict access to sensitive files on the server to limit the potential damage from a successful exploit. After upgrading, confirm the fix by sending a crafted XML request containing external entity references and verifying that the server does not disclose any sensitive information or make unauthorized requests.

How to fix

Actualice la biblioteca http4k a la versión 5.41.0.0 o superior. Esta versión contiene una corrección para la vulnerabilidad XXE. Asegúrese de validar y sanitizar cualquier entrada XML antes de procesarla para evitar posibles ataques.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-55875 — XXE Injection in http4k?

CVE-2024-55875 is a critical XXE Injection vulnerability in http4k versions 5.40.0.0 and earlier, allowing attackers to read local files, perform SSRF, and potentially execute code.

Am I affected by CVE-2024-55875 in http4k?

You are affected if you are using http4k version 5.40.0.0 or earlier. Upgrade to version 5.41.0.0 to mitigate the risk.

How do I fix CVE-2024-55875 in http4k?

Upgrade to version 5.41.0.0 of http4k. As a temporary workaround, implement input validation and sanitization to filter malicious XML content.

Is CVE-2024-55875 being actively exploited?

While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.

Where can I find the official http4k advisory for CVE-2024-55875?

Refer to the official http4k project website and GitHub repository for updates and security advisories related to CVE-2024-55875.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs