External risk intelligence

http4k XXE Vulnerability Allows Sensitive Data Disclosure and Server-Side Request Forgery

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2024-55875

A vulnerability in the http4k toolkit for Kotlin HTTP applications allows for denial-of-service attacks when processing untrusted XML. Attackers can exploit this by sending specially crafted XML with doctype declarations, potentially exhausting server resources. Readers should verify if their Kotlin HTTP applications u

4Halo Surface Signal

Information Disclosure

External exposure likelihood

Halo Surface Signal score for CVE-2024-55875

http4k is a functional toolkit designed for building HTTP applications and APIs. Since the vulnerability exists in the XML parsing components used to process incoming HTTP requests, applications built with this library are often designed to be web-facing services that accept and process user-supplied data, making exposure to the internet a common and expected deployment pattern.

PCI scan relevance

PCI Relevance for CVE-2024-55875

Yes

CVE-2024-55875 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This http4k vulnerability could allow attackers to read sensitive information, cause denial of service, or execute code, which may lead to a PCI compliance failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the http4k toolkit for Kotlin applications that affects how certain XML data is processed. While previous fixes addressed some risks, a residual gap allowed for denial-of-service attacks through a specific type of XML manipulation, even if other malicious external entities were blocked. The latest update rejects any XML documents containing doctype declarations, mitigating this remaining risk. The main concern is confirming relevance and exposure.

Malicious XML can crash services.
Prevents complex internal XML attacks.
Confirm if your Kotlin HTTP apps use http4k.

Attack Path

How an attacker could exploit the issue

An attacker could target applications built with http4k by sending specially crafted XML data within an HTTP request. If the application uses http4k's XML parsing functions, the attacker could leverage this to cause a denial-of-service condition by overwhelming the server with complex entity expansions.

Requires network access to the application.
Triggered by sending malicious XML in HTTP requests.
Risk of denial-of-service attacks.

Live Threat

Current exploitation, exposure, and threat context

When http4k applications process untrusted XML content in requests, they could be vulnerable to denial-of-service attacks that exhaust server resources. This could occur when an application uses `Body.xml()` or `Document.asXmlDocument()` to parse specially crafted XML documents containing `<!DOCTYPE>` declarations.

Denial-of-service attacks.
Malicious XML documents.
Service disruption or unavailability.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

In a real-world scenario, application owners and platform teams are likely responsible for addressing this vulnerability within their Kotlin HTTP applications that use the http4k library. The first practical step involves identifying all instances of the affected http4k XML parsing functionality, confirming their accessibility and criticality, and then coordinating remediation efforts.

Application owners should own the issue.
Verify XML parsing usage and reachability.
Plan remediation or vendor coordination.

Frequently asked questions

What is http4k and how is it used?

http4k is a functional toolkit written in Kotlin designed for building HTTP services and APIs. Developers use it to handle web requests and responses within their applications. Because it focuses on functional, lightweight HTTP interactions, it is commonly used to build modern, modular web services that may need to parse various data formats, including XML, when communicating with other systems.

What is the vulnerability in CVE-2024-55875?

This CVE involves an XML External Entity (XXE) vulnerability, categorized as CWE-611, CWE-200, and CWE-918. While early patches blocked common external data theft, a residual flaw remained. The parser could still be tricked by "billion-laughs" style XML, which uses nested entity declarations to expand exponentially in memory. This allows an attacker to overwhelm the server's resources, causing a denial-of-service, even if they cannot steal files or forge network requests.

How can an attacker trigger this XML vulnerability?

An attacker triggers the vulnerability by sending a specially crafted XML document within an HTTP request to an application using vulnerable http4k parsing functions like Body.xml(). The attack relies on including a <!DOCTYPE> declaration that the parser processes. It is important to note that simply using the http4k library does not trigger the bug; the vulnerability only manifests when the application actively parses untrusted XML input from a user or external source.

Do I need to worry if my service is internet-facing?

Yes, if your application is internet-facing, it is at higher risk. Halo Surface Signal identifies http4k as a toolkit typically used for web-facing services that accept and process user-supplied data, making exposure to the internet a standard deployment pattern. If your service processes XML requests from the public, an attacker can reach this parsing component directly, increasing the likelihood that they could successfully trigger a denial-of-service condition.

How do I start addressing CVE-2024-55875?

The first step is to audit your Kotlin applications to identify where you are using http4k's XML parsing functions, such as Body.xml() or Document.asXmlDocument(). Once these integration points are located, evaluate if they handle untrusted or externally sourced XML. If so, prioritize updating to http4k version 6.50.0.0 or later, which now strictly rejects any XML documents containing doctype declarations, effectively closing the residual expansion risk.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.