CVE-2022-39353
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
02/11/2022
Last modified:
01/03/2023
Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:* | 0.6.0 (excluding) | |
| cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:* | 0.7.0 (including) | 0.7.7 (excluding) |
| cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:* | 0.8.0 (including) | 0.8.4 (excluding) |
| cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta3:*:*:*:node.js:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page