MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg2cTYtOWhxdy1yd2Z2

Moderate EPSS: 0.00574% (0.67594 Percentile) EPSS:

Permalink JSON

Misinterpretation of malicious XML input

Affected Packages	Affected Versions	Fixed Versions
npm:xmldom PURL: `pkg:npm/xmldom`	< 0.5.0	0.5.0
2,788 Dependent packages 424,390 Dependent repositories 7,295,157 Downloads last month Affected Version Ranges All affected versions 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.1.21, 0.1.22, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.29, 0.1.30, 0.1.31, 0.2.0, 0.2.1, 0.3.0, 0.4.0 All unaffected versions 0.5.0, 0.6.0

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls xmldom

References:

Identifiers

GHSA-h6q6-9hqw-rwfv

CVE-2021-21366

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00574

EPSS Percentile: 0.67594

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/xmldom/xmldom

Date and time

Published

over 4 years ago

Updated

over 2 years ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories