Skip to content

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Low
karfau published GHSA-9pgh-qqpf-7wqj Oct 11, 2022

Package

npm @xmldom/xmldom (npm)

Affected versions

= 0.9.0-beta.1
<0.7.6
>= 0.8.0, < 0.8.3

Patched versions

>=0.9.0-beta.2
~0.7.6
~0.8.3
npm xmldom (npm)
<= 0.6.0
None

Description

Impact

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.
Please be aware that every attempt to provide an exploit, was not able to and we are in the process of marking this report as invalid.

Patches

Update to @xmldom/xmldom@~0.7.6, @xmldom/xmldom@~0.8.3 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.2 (dist-tag next).

Workarounds

None

References

#437

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2022-37616

Weaknesses

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.

Credits