Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1jcmg2LWZwNjctNjg4M84AAvn0

Critical EPSS: 0.01314% (0.79233 Percentile) EPSS:
Permalink JSON

xmldom allows multiple root nodes in a DOM

Affected Packages Affected Versions Fixed Versions
npm:@xmldom/xmldom
PURL: pkg:npm/%40xmldom%2Fxmldom
>= 0.9.0-beta.1, < 0.9.0-beta.4, >= 0.8.0, < 0.8.4, < 0.7.7 0.9.0-beta.4, 0.8.4, 0.7.7
605 Dependent packages
85,555 Dependent repositories
60,653,065 Downloads last month

Affected Version Ranges

All affected versions

0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.8.3

All unaffected versions

0.7.7, 0.7.8, 0.7.9, 0.7.10, 0.7.11, 0.7.12, 0.7.13, 0.8.4, 0.8.5, 0.8.6, 0.8.7, 0.8.8, 0.8.9, 0.8.10, 0.8.11, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.9.8
npm:xmldom
PURL: pkg:npm/xmldom
<= 0.6.0 No known fixed version
2,788 Dependent packages
424,390 Dependent repositories
7,519,002 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.29, 0.1.30, 0.1.31, 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.5.0, 0.6.0

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing.
This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

  • Instead of searching for elements in the whole DOM, only search in the documentElement.
  • Reject a document with a document that has more then 1 childNode.

References

For more information

If you have any questions or comments about this advisory:

References:

Identifiers

GHSA-crh6-fp67-6883

CVE-2022-39353

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.01314

EPSS Percentile: 0.79233

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/xmldom/xmldom

Date and time

Published

about 3 years ago

Updated

about 10 hours ago

API

JSON