Version Details and Security Vulnerabilities

📦

xmldom

0.1.9

Comparision Betweeen 0.1.9 and 0.1.8

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

xmldom

0.1.9

Comparision Betweeen 0.1.9 and 0.1.8

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.9 of the package xmldom.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.9 of the package

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls xmldom

Details about xmldom@0.1.9

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #271 for the status of publishing xmldom to npm or join #270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls @xmldom/xmldom

Details about xmldom@0.1.9

Summary:

xmldom allows multiple root nodes in a DOM

Details:

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

Instead of searching for elements in the whole DOM, only search in the documentElement.
Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org

Details about xmldom@0.1.9

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.9 of the package xmldom.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.9 of the package

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls xmldom

Details about xmldom@0.1.9

Summary:

Misinterpretation of malicious XML input

Details:

Impact

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #271 for the status of publishing xmldom to npm or join #270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls @xmldom/xmldom

Details about xmldom@0.1.9

Summary:

xmldom allows multiple root nodes in a DOM

Details:

Impact

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

Instead of searching for elements in the whole DOM, only search in the documentElement.
Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org

Details about xmldom@0.1.9

Version Details and Security Vulnerabilities

xmldom

Comparision Betweeen 0.1.9 and 0.1.8

Security Vulnerabilities

Version Details and Security Vulnerabilities

xmldom

Comparision Betweeen 0.1.9 and 0.1.8

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

xmldom@0.1.9 GHSA-h6q6-9hqw-rwfv 4.3

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.9 GHSA-5fg8-2547-mr8q 6.5

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.9 GHSA-crh6-fp67-6883 9.8

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

xmldom@0.1.9 GHSA-h6q6-9hqw-rwfv 4.3

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.9 GHSA-5fg8-2547-mr8q 6.5

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.9 GHSA-crh6-fp67-6883 9.8

Impact

Patches

Workarounds

References

For more information