CVE-2022-39353
Published: 2 November 2022
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
node-xmldom Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(0.1.27+ds-1+deb10u2build0.20.04.1)
|
|
| jammy |
Released
(0.7.5-1ubuntu0.22.04.1)
|
|
| kinetic |
Released
(0.7.5-1ubuntu0.22.10.1)
|
|
| lunar |
Not vulnerable
(0.8.6-1)
|
|
| trusty |
Ignored
(out of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(out of standard support)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |