CVE-2023-26119
📋 TL;DR
This vulnerability allows remote code execution via XSLT processing in HtmlUnit when browsing malicious webpages. Attackers can execute arbitrary code on systems running vulnerable versions of HtmlUnit. This affects any Java application using HtmlUnit versions before 3.0.0 for web scraping, testing, or browser automation.
💻 Affected Systems
- HtmlUnit
📦 What is this software?
Htmlunit by Htmlunit
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems in the network.
Likely Case
Server compromise leading to data exfiltration, cryptocurrency mining, or use as part of a botnet.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are in place, though code execution would still be possible.
🎯 Exploit Status
Exploitation requires the victim to browse a malicious webpage using HtmlUnit. Public proof-of-concept code exists demonstrating the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0 and later
Vendor Advisory: https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
Restart Required: Yes
Instructions:
1. Update HtmlUnit dependency to version 3.0.0 or later in your project's build configuration (pom.xml for Maven, build.gradle for Gradle). 2. Rebuild and redeploy your application. 3. Restart any services using the updated application.
🔧 Temporary Workarounds
Disable XSLT processing
allConfigure HtmlUnit to disable XSLT processing to prevent exploitation via this vector
WebClient webClient = new WebClient();
webClient.getOptions().setXSLTEnabled(false);
🧯 If You Can't Patch
- Network segmentation to isolate systems using HtmlUnit from critical infrastructure
- Implement strict outbound firewall rules to limit data exfiltration and command-and-control communication
🔍 How to Verify
Check if Vulnerable:
Check your project's dependency configuration for HtmlUnit versions below 3.0.0. For Maven: mvn dependency:tree | grep htmlunit. For Gradle: gradle dependencies | grep htmlunit.Check Version:
mvn dependency:tree | grep htmlunit OR gradle dependencies | grep htmlunitVerify Fix Applied:
Verify the HtmlUnit version is 3.0.0 or higher in your dependency tree and that XSLT processing is disabled if using the workaround.📡 Detection & Monitoring
Log Indicators:
- Unusual Java process spawning, especially command execution via Runtime.exec() or ProcessBuilder
- Unexpected network connections from Java processes to external IPs
- Errors related to XSLT processing in application logs
Network Indicators:
- Outbound connections from application servers to suspicious domains/IPs
- Unusual traffic patterns from systems running HtmlUnit
SIEM Query:
process_name:java AND (process_cmdline:*Runtime.exec* OR process_cmdline:*ProcessBuilder*) AND parent_process:*java*🔗 References
- https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
- https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
- https://siebene.github.io/2022/12/30/HtmlUnit-RCE/
- https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
- https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
- https://siebene.github.io/2022/12/30/HtmlUnit-RCE/
