@xmldom/xmldom 0.8.12

Direct Vulnerabilities

Known vulnerabilities in the @xmldom/xmldom package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H XML Injection @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection via the `createProcessingInstruction` function. An attacker can inject arbitrary XML nodes into the serialized output by supplying specially crafted data containing the PI-closing sequence, which is not validated or neutralized during serialization. This can alter the structure and meaning of generated XML documents, potentially impacting workflows that store, forward, sign, or parse XML. Note: This is only exploitable if the serialization is performed without passing the `{ requireWellFormed: true }` option. How to fix XML Injection? Upgrade `@xmldom/xmldom` to version 0.8.13, 0.9.10 or higher.	<0.8.13>=0.9.0 <0.9.10
H XML Injection @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection in the serialization of `DocumentType` nodes when attacker-controlled values are provided to the `publicId`, `systemId`, or `internalSubset` fields. An attacker can inject arbitrary XML markup into the serialized output by supplying specially crafted input to these fields, potentially leading to the injection of malicious DOCTYPE declarations or markup outside the intended context. Note: This is only exploitable if untrusted data is passed programmatically to `createDocumentType` or written directly to the relevant properties and then serialized without enabling strict validation. How to fix XML Injection? Upgrade `@xmldom/xmldom` to version 0.8.13, 0.9.10 or higher.	<0.8.13>=0.9.0 <0.9.10
H Uncontrolled Recursion @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including `normalize`, `serializeToString`, `getElementsByTagName`, `getElementsByTagNameNS`, `getElementsByClassName`, `getElementById`, `cloneNode`, `importNode`, `textContent`, and `isEqualNode`. An attacker can cause the application to crash or become unresponsive by submitting a valid, deeply nested XML payload that triggers uncontrolled recursion and stack exhaustion. How to fix Uncontrolled Recursion? Upgrade `@xmldom/xmldom` to version 0.8.13, 0.9.10 or higher.	<0.8.13>=0.9.0 <0.9.10
H XML Injection @xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from untrusted user input, the package fails to sanitize comment-breaking sequences (like `-->`). An attacker can input `-->` to terminate the comment prematurely. Once the comment is broken out of, any text the attacker places after the `-->` is treated as "live" XML markup by the serializer rather than harmless comment text. How to fix XML Injection? Upgrade `@xmldom/xmldom` to version 0.8.13, 0.9.10 or higher.	<0.8.13>=0.9.0 <0.9.10

Vulnerability

Vulnerable Version

XML Injection

@xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom

Affected versions of this package are vulnerable to XML Injection via the createProcessingInstruction function. An attacker can inject arbitrary XML nodes into the serialized output by supplying specially crafted data containing the PI-closing sequence, which is not validated or neutralized during serialization. This can alter the structure and meaning of generated XML documents, potentially impacting workflows that store, forward, sign, or parse XML.

Note:

This is only exploitable if the serialization is performed without passing the { requireWellFormed: true } option.

How to fix XML Injection?

Upgrade @xmldom/xmldom to version 0.8.13, 0.9.10 or higher.

<0.8.13>=0.9.0 <0.9.10

XML Injection

Affected versions of this package are vulnerable to XML Injection in the serialization of DocumentType nodes when attacker-controlled values are provided to the publicId, systemId, or internalSubset fields. An attacker can inject arbitrary XML markup into the serialized output by supplying specially crafted input to these fields, potentially leading to the injection of malicious DOCTYPE declarations or markup outside the intended context.

Note:

This is only exploitable if untrusted data is passed programmatically to createDocumentType or written directly to the relevant properties and then serialized without enabling strict validation.

How to fix XML Injection?

Upgrade @xmldom/xmldom to version 0.8.13, 0.9.10 or higher.

<0.8.13>=0.9.0 <0.9.10

Uncontrolled Recursion

Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including normalize, serializeToString, getElementsByTagName, getElementsByTagNameNS, getElementsByClassName, getElementById, cloneNode, importNode, textContent, and isEqualNode. An attacker can cause the application to crash or become unresponsive by submitting a valid, deeply nested XML payload that triggers uncontrolled recursion and stack exhaustion.

How to fix Uncontrolled Recursion?

Upgrade @xmldom/xmldom to version 0.8.13, 0.9.10 or higher.

<0.8.13>=0.9.0 <0.9.10

XML Injection

Affected versions of this package are vulnerable to XML Injection due to unvalidated comment serialization. When an application uses the package to create an XML comment from untrusted user input, the package fails to sanitize comment-breaking sequences (like -->). An attacker can input --> to terminate the comment prematurely. Once the comment is broken out of, any text the attacker places after the --> is treated as "live" XML markup by the serializer rather than harmless comment text.

How to fix XML Injection?

Upgrade @xmldom/xmldom to version 0.8.13, 0.9.10 or higher.

<0.8.13>=0.9.0 <0.9.10

@xmldom/xmldom@0.8.12

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically