Homepage

Uncontrolled Recursion Affecting @xmldom/xmldom package, versions <0.8.13>=0.9.0 <0.9.10

Severity

 Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.04% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncontrolled Recursion vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-XMLDOMXMLDOM-16134530
  • published23 Apr 2026
  • disclosed22 Apr 2026
  • creditJvr2022, praveen-kv, KarimTantawey
Report a new vulnerability Found a mistake?

Introduced: 22 Apr 2026

CVE-2026-41673  (opens in a new tab)
CWE-674  (opens in a new tab)

How to fix?

Upgrade @xmldom/xmldom to version 0.8.13, 0.9.10 or higher.

Overview

@xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom

Affected versions of this package are vulnerable to Uncontrolled Recursion in the recursive processing of deeply nested XML documents by several DOM-related operations, including normalize, serializeToString, getElementsByTagName, getElementsByTagNameNS, getElementsByClassName, getElementById, cloneNode, importNode, textContent, and isEqualNode. An attacker can cause the application to crash or become unresponsive by submitting a valid, deeply nested XML payload that triggers uncontrolled recursion and stack exhaustion.

PoC

const { DOMParser, XMLSerializer } = require('@xmldom/xmldom');

const depth = 5000;
const xml = '<a>'.repeat(depth) + '</a>'.repeat(depth);
const doc = new DOMParser().parseFromString(xml, 'text/xml');
new XMLSerializer().serializeToString(doc);
// RangeError: Maximum call stack size exceeded

CVSS Base Scores

version 4.0
version 3.1