CVE-2023-0842 – xml2js

Package

Manager: npm
Name: xml2js
Vulnerable Version: >=0 <0.5.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00251 pctl0.4832

Details

xml2js is vulnerable to prototype pollution xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.

Metadata

Created: 2023-04-05T21:30:24Z
Modified: 2025-02-13T22:08:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-776f-qx25-q3cc/GHSA-776f-qx25-q3cc.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-776f-qx25-q3cc
Finding: F390
Auto approve: 1