CVE-2018-1000844

CRITICAL

Square Retrofit < 2.5.0 - XML External Entity Injection via JAXB

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-1000844. PoCs published by dawetmaster, andikahilmy, epicosy.

AI-analyzed exploit summary This repository contains a vulnerable version of Retrofit (2.4.0) affected by CVE-2018-1000844, which involves deserialization of untrusted data. The repository includes source code, build scripts, and documentation but does not contain an exploit PoC or detailed technical analysis of the vulnerability.

Description

Square Open Source Retrofit version Prior to commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437 contains a XML External Entity (XXE) vulnerability in JAXB that can result in An attacker could use this to remotely read files from the file system or to perform SSRF.. This vulnerability appears to have been fixed in After commit 4a693c5aeeef2be6c7ecf80e7b5ec79f6ab59437.

Exploits (3)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-1000844-retrofit-vulnerable

This repository contains a vulnerable version of Retrofit (2.4.0) affected by CVE-2018-1000844, which involves deserialization of untrusted data. The repository includes source code, build scripts, and documentation but does not contain an exploit PoC or detailed technical analysis of the vulnerability.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Retrofit 2.4.0
No auth needed
Prerequisites: Vulnerable Retrofit version (2.4.0 or earlier) · Ability to send crafted requests to an application using Retrofit
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-1000844-retrofit-vulnerable

This repository contains a vulnerable version of Retrofit (2.4.0) affected by CVE-2018-1000844, which involves deserialization of untrusted data. The repository includes source code, build scripts, and documentation but does not contain a functional exploit or PoC.

Classification
Writeup 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Retrofit 2.4.0
No auth needed
Prerequisites: Access to a vulnerable Retrofit application processing untrusted data
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by epicosy · poc
https://github.com/epicosy/Retrofit-1

This repository contains the source code for Retrofit, a type-safe HTTP client for Android and Java, but does not include any exploit PoC for CVE-2018-1000844. The files are legitimate project files, including build scripts, READMEs, and adapter implementations.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Retrofit (version not specified in exploit context)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://github.com/square/retrofit/pull/2735

Scores

CVSS v3 9.1
EPSS 0.0091
EPSS Percentile 76.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-611
Status published
Products (2)
com.squareup.retrofit2/retrofit 2.0.0 - 2.5.0Maven
squareup/retrofit 2.4.0 - 2.5.0
Published Dec 20, 2018
Tracked Since Feb 18, 2026