Platform
kotlin
Component
http4k
Fixed in
5.41.1
CVE-2024-55875 describes an XXE (XML External Entity Injection) vulnerability affecting http4k, a Kotlin HTTP toolkit. This vulnerability allows attackers to exploit improper handling of malicious XML content within requests, potentially leading to sensitive data exposure and code execution. Versions of http4k prior to 5.41.0.0 are vulnerable, and a patch has been released.
The XXE vulnerability in http4k poses a significant risk. An attacker can leverage this flaw to read arbitrary files from the server's file system, potentially exposing sensitive configuration data, API keys, or source code. Furthermore, the vulnerability enables Server-Side Request Forgery (SSRF), allowing the attacker to make requests to internal or external resources on behalf of the server. In certain scenarios, successful exploitation could even lead to remote code execution, granting the attacker complete control over the affected system. The high CVSS score of 9.8 reflects the severity of this potential impact.
CVE-2024-55875 was publicly disclosed on December 12, 2024. While no active exploitation campaigns have been publicly reported, the vulnerability's severity and the availability of a public proof-of-concept increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations should prioritize patching.
Exploit Status
EPSS
5.46% (90% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-55875 is to upgrade to version 5.41.0.0 or later of http4k. If upgrading is not immediately feasible, consider implementing input validation and sanitization to filter out potentially malicious XML content. Web application firewalls (WAFs) configured to detect and block XXE attacks can provide an additional layer of defense. Review and restrict access to sensitive files on the server to limit the potential damage from a successful exploit. After upgrading, confirm the fix by sending a crafted XML request containing external entity references and verifying that the server does not disclose any sensitive information or make unauthorized requests.
Actualice la biblioteca http4k a la versión 5.41.0.0 o superior. Esta versión contiene una corrección para la vulnerabilidad XXE. Asegúrese de validar y sanitizar cualquier entrada XML antes de procesarla para evitar posibles ataques.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55875 is a critical XXE Injection vulnerability in http4k versions 5.40.0.0 and earlier, allowing attackers to read local files, perform SSRF, and potentially execute code.
You are affected if you are using http4k version 5.40.0.0 or earlier. Upgrade to version 5.41.0.0 to mitigate the risk.
Upgrade to version 5.41.0.0 of http4k. As a temporary workaround, implement input validation and sanitization to filter malicious XML content.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the official http4k project website and GitHub repository for updates and security advisories related to CVE-2024-55875.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.