CVE-2021-21366 – xmldom

Package

Manager: npm
Name: xmldom
Vulnerable Version: >=0 <0.5.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00574 pctl0.67765

Details

Misinterpretation of malicious XML input ### Impact xmldom versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. ### Patches Update to 0.5.0 (once it is released) ### Workarounds Downstream applications can validate the input and reject the maliciously crafted documents. ### References Similar to this one reported on the Go standard library: - https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ ### For more information If you have any questions or comments about this advisory: * Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom) * Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`

Metadata

Created: 2021-03-12T22:39:39Z
Modified: 2023-01-02T21:51:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-h6q6-9hqw-rwfv/GHSA-h6q6-9hqw-rwfv.json
CWE IDs: ["CWE-115", "CWE-436"]
Alternative ID: GHSA-h6q6-9hqw-rwfv
Finding: F184
Auto approve: 1