@xmldom/xmldom@0.7.5 vulnerabilities

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Direct Vulnerabilities

Known vulnerabilities in the @xmldom/xmldom package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Improper Input Validation

@xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom

Affected versions of this package are vulnerable to Improper Input Validation due to parsing XML that is not well-formed, and contains multiple top-level elements. All the root nodes are being added to the childNodes collection of the Document, without reporting or throwing any error.

How to fix Improper Input Validation?

Upgrade @xmldom/xmldom to version 0.7.7, 0.8.4, 0.9.0-beta.4 or higher.

<0.7.7 >=0.8.0 <0.8.4 >=0.9.0-beta.1 <0.9.0-beta.4
  • H
Prototype Pollution

@xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom

Affected versions of this package are vulnerable to Prototype Pollution through the copy() function in dom.js. Exploiting this vulnerability is possible via the p variable.

DISPUTED This vulnerability has been disputed by the maintainers of the package. Currently the only viable exploit that has been demonstrated is to pollute the target object (rather then the global object which is generally the case for Prototype Pollution vulnerabilities) and it is yet unclear if this limited attack vector exposes any vulnerability in the context of this package.

See the linked GitHub Issue for full details on the discussion around the legitimacy and potential revocation of this vulnerability.

How to fix Prototype Pollution?

Upgrade @xmldom/xmldom to version 0.7.6, 0.8.3, 0.9.0-beta.2 or higher.

<0.7.6 >=0.8.0 <0.8.3 >=0.9.0-beta.1 <0.9.0-beta.2