CVE-2024-55875 - XXE Vulnerability in http4k – How Your Kotlin Server May Be at Risk

If you develop Kotlin-based web applications with http4k, pay close attention to this: a recent vulnerability, CVE-2024-55875, puts your server’s sensitive files and network at risk if you process user-controlled XML! Let’s break down what the bug is, why it’s dangerous, how an attack can happen, and what you should do to stay safe, with code examples and references included.

What is http4k?

http4k is a popular functional toolkit for building HTTP services in Kotlin. It streamlines building, testing, and deploying APIs or web apps, making it a favorite among Kotlin developers.

What Is CVE-2024-55875?

Prior to version 5.41.., http4k's XML handling routines had an issue: they failed to securely parse XML, leaving the door open for XML External Entity (XXE) Injection attacks.

What Is XXE?

XXE stands for "XML External Entity Infection_Processing)". It allows attackers to inject hostile XML containing references to local files or network resources, which may:

- Leak sensitive files (e.g., /etc/passwd, .env)

Who’s Affected?

Any Kotlin application using http4k before version 5.41.. and which accepts, parses, or works with XML data submitted by users.

Vulnerable Code Sample

Imagine a simple http4k handler that accepts an XML payload.

val handler = { request: Request ->
    val xmlPayload = request.bodyString()
    val documentBuilderFactory = DocumentBuilderFactory.newInstance()
    val documentBuilder = documentBuilderFactory.newDocumentBuilder()
    val inputStream = xmlPayload.byteInputStream()
    val xmlDocument = documentBuilder.parse(inputStream)
    // Process the XML document...
    Response(Status.OK)
}

What’s wrong:
By default, DocumentBuilderFactory in Java/Kotlin allows "external entities" in XML. Without hardening its settings, XXE is possible!

Here’s how an attacker could craft XML to steal /etc/passwd

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

When the vulnerable code parses this, the content of the server’s /etc/passwd file is inserted into the parsed XML tree. The attacker just needs your handler to echo it back in any way—or, with SSRF, to trigger a network connection.

How Was It Patched?

Starting in http4k 5.41.., the XML parsers are now hardened. They explicitly disable external entity loading by default.

Upgrade to this version or higher!
Release Notes with Fix →

Always configure your XML parsers safely, like so

val dbf = DocumentBuilderFactory.newInstance()
// Block DTDs and external entities!
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true)
dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false)
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false)
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false)
dbf.isXIncludeAware = false
dbf.isExpandEntityReferences = false

val db = dbf.newDocumentBuilder()
val doc = db.parse(request.body.inputStream)

References and CVE Reports

- CVE-2024-55875 at CVE.org
- http4k release notes & patch
- xxe vulnerability explained (OWASP)_Processing)

Monitor yourself for signs of exploitation if you ever accepted user XML.

Stay secure! Never trust XML without hardening your parser.


*This post is an exclusive, simplified rundown for the Kotlin server community. Feel free to share with your team. If you need technical help patching, reach out to your Kotlin security experts!*

Timeline

Published on: 12/12/2024 19:15:13 UTC
Last modified on: 12/13/2024 15:15:42 UTC