Xmlbuilder is a popular Node.js library designed to simplify XML document creation and manipulation. Version 3.0.0 represents an evolution from the preceding stable version, 2.6.5, offering developers refined tools for building XML structures. While the core functionality remains consistent – providing a fluent API for constructing XML elements, attributes, and text nodes – developers should note that the upgradeintroduces potential refinements or breaking changes that are not explicit from the provided metadata, but a major version implies a considerable change. Both versions leverage Lodash, a utility library, underscoring a commitment to efficient data handling. Furthermore, both versions use CoffeeScript and Mocha for development and testing, showcasing a mature and well-tested codebase. The library remains under the MIT license, ensuring flexibility for diverse project needs. Ozgur Ozcitak continues as the author, ensuring continuity in the library's maintainership. The key differentiator lies in the update to version 3.0.0, which typically denotes significant architectural or API modifications that could impact existing implementations. Therefore, developers upgrading should carefully examine the changelog for detailed migration instructions and a comprehensive overview of the introduced changes to ensure a smooth transition and continued compatibility. Also the newer version was released one day after the older so developers need to investigate the reason for the new version, a hot fix? a major change?
All the vulnerabilities related to the version 3.0.0 of the package
Command Injection in lodash
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Prototype Pollution in lodash
Versions of lodash before 4.17.11 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.11 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.5 are vulnerable to prototype pollution.
The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via __proto__ causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.5 or later.
Prototype Pollution in lodash
Versions of lodash before 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep allows a malicious user to modify the prototype of Object via {constructor: {prototype: {...}}} causing the addition or modification of an existing property that will exist on all objects.
Update to version 4.17.12 or later.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
