Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jcmg2LWZwNjctNjg4M84AAvn0
xmldom allows multiple root nodes in a DOM
Impact
xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes
collection of the Document
, without reporting any error or throwing.
This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.
Patches
Update to @xmldom/xmldom@~0.7.7
, @xmldom/xmldom@~0.8.4
(dist-tag latest
) or @xmldom/xmldom@>=0.9.0-beta.4
(dist-tag next
).
Workarounds
One of the following approaches might help, depending on your use case:
- Instead of searching for elements in the whole DOM, only search in the
documentElement
. - Reject a document with a document that has more then 1
childNode
.
References
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcmg2LWZwNjctNjg4M84AAvn0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00182
EPSS Percentile: 0.56515
Identifiers: GHSA-crh6-fp67-6883, CVE-2022-39353
References:
- https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
- https://github.com/xmldom/xmldom/releases/tag/0.7.7
- https://github.com/xmldom/xmldom/releases/tag/0.8.4
- https://github.com/xmldom/xmldom/releases/tag/0.9.0-beta.4
- https://nvd.nist.gov/vuln/detail/CVE-2022-39353
- https://github.com/jindw/xmldom/issues/150
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
- https://github.com/xmldom/xmldom/commit/52a708360c35aa160fcca8621720d71fd0f95f1a
- https://github.com/xmldom/xmldom/commit/7ff7c10ab2961703ac1752e95b4ff60ee4ee6643
- https://github.com/xmldom/xmldom/commit/c02f786216bed70825f9a351c65e61500f51e931
- https://github.com/advisories/GHSA-crh6-fp67-6883
Blast Radius: 55.2
Affected Packages
npm:@xmldom/xmldom
Dependent packages: 605Dependent repositories: 85,555
Downloads: 35,651,281 last month
Affected Version Ranges: >= 0.9.0-beta.1, < 0.9.0-beta.4, >= 0.8.0, < 0.8.4, < 0.7.7
Fixed in: 0.9.0-beta.4, 0.8.4, 0.7.7
All affected versions: 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0-beta.1, 0.9.0-beta.2, 0.9.0-beta.3
All unaffected versions: 0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.7.12, 0.7.13, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5
npm:xmldom
Dependent packages: 2,788Dependent repositories: 424,390
Downloads: 6,933,856 last month
Affected Version Ranges: <= 0.6.0
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.29, 0.1.30, 0.1.31, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.6.0