FLAT-SPG7A – Vulnerability | Fluid Attacks Database

Database

Description

fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	fast-xml-parser	>=0 <4.1.2	4.1.2
debian 14	node-webfont	=11.4.0+dfsg2+~cs35.7.26-13 \|\| =11.4.0+dfsg2+~cs35.7.26-14 \|\| =11.4.0+dfsg2+~cs35.7.26-15 \|\| =11.4.0+dfsg2+~cs35.7.26-16 \|\| =11.4.0+dfsg2+~cs35.7.26-18 \|\| =11.4.0+dfsg2+~cs35.7.26-19	-
debian 13	node-webfont	=11.4.0+dfsg2+~cs35.7.26-13 \|\| =11.4.0+dfsg2+~cs35.7.26-14 \|\| =11.4.0+dfsg2+~cs35.7.26-15 \|\| =11.4.0+dfsg2+~cs35.7.26-16 \|\| =11.4.0+dfsg2+~cs35.7.26-18 \|\| =11.4.0+dfsg2+~cs35.7.26-19	-
debian 12	node-webfont	=11.4.0+dfsg2+~cs35.7.26-10 \|\| =11.4.0+dfsg2+~cs35.7.26-11 \|\| =11.4.0+dfsg2+~cs35.7.26-12 \|\| =11.4.0+dfsg2+~cs35.7.26-13 \|\| =11.4.0+dfsg2+~cs35.7.26-14 \|\| =11.4.0+dfsg2+~cs35.7.26-15 \|\| =11.4.0+dfsg2+~cs35.7.26-16 \|\| =11.4.0+dfsg2+~cs35.7.26-18 \|\| =11.4.0+dfsg2+~cs35.7.26-19 \|\| =11.4.0+dfsg2+~cs35.7.26-7 \|\| =11.4.0+dfsg2+~cs35.7.26-8 \|\| =11.4.0+dfsg2+~cs35.7.26-9	-

Aliases

1. CVE-2023-269202. NVD-2023-269203. OSV-2023-269204. OSV-DEBIAN-2023-269205. GHSA-x3cc-x39p-42qx6. GHSA-793h-6f7r-6qvm7. GCVE-2023-269208. SECURITY-TRACKER-CVE-2023-26920

References

1. https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx2. https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd058043. https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7