Improper Input Validation Affecting @xmldom/xmldom package, versions <0.7.7 >=0.8.0 <0.8.4 >=0.9.0-beta.1 <0.9.0-beta.4
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-XMLDOMXMLDOM-3092934
- published 2 Nov 2022
- disclosed 1 Nov 2022
- credit frumioj, karfau
Introduced: 1 Nov 2022
CVE-2022-39353 Open this link in a new tabHow to fix?
Upgrade @xmldom/xmldom to version 0.7.7, 0.8.4, 0.9.0-beta.4 or higher.
Overview
@xmldom/xmldom is a javascript ponyfill to provide the following APIs that are present in modern browsers to other runtimes. Since version 0.7.0 this package is published to npm as @xmldom/xmldom and no longer as xmldom
Affected versions of this package are vulnerable to Improper Input Validation due to parsing XML that is not well-formed, and contains multiple top-level elements. All the root nodes are being added to the childNodes collection of the Document, without reporting or throwing any error.
Workarounds
One of the following approaches might help, depending on your use case:
Instead of searching for elements in the whole DOM, only search in the
documentElement.Reject a document with a document that has more than 1
childNode.
PoC
var DOMParser = require('xmldom').DOMParser;
var xmlData = '<?xml version="1.0" encoding="UTF-8"?>\n' +
'<root>\n' +
' <branch girth="large">\n' +
' <leaf color="green" />\n' +
' </branch>\n' +
'</root>\n' +
'<root>\n' +
' <branch girth="twig">\n' +
' <leaf color="gold" />\n' +
' </branch>\n' +
'</root>\n';
var xmlDOM = new DOMParser().parseFromString(xmlData);
console.log(xmlDOM.toString());
This will result with the following output:
<?xml version="1.0" encoding="UTF-8"?><root>
<branch girth="large">
<leaf color="green"/>
</branch>
</root>
<root>
<branch girth="twig">
<leaf color="gold"/>
</branch>
</root>