CVE-2022-39353

02.11.2022, 17:15

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.4 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
GitHub_M	CNA	9.4 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 74%

Vendor	Product	Version
xmldom_project	xmldom	𝑥 < 0.6.0
xmldom_project	xmldom	0.7.0 ≤ 𝑥 < 0.7.7
xmldom_project	xmldom	0.8.0 ≤ 𝑥 < 0.8.4
xmldom_project	xmldom	0.9.0:beta1
xmldom_project	xmldom	0.9.0:beta2
xmldom_project	xmldom	0.9.0:beta3
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-xmldom

bullseye	0.5.0-1+deb11u2 fixed
trixie	0.8.6-1 fixed
bookworm	0.8.6-1 fixed
sid	0.9.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

node-xmldom

noble	needs-triage
mantic	ignored
lunar	not-affected
kinetic	Fixed 0.7.5-1ubuntu0.22.10.1 released
jammy	Fixed 0.7.5-1ubuntu0.22.04.1 released
focal	Fixed 0.1.27+ds-1+deb10u2build0.20.04.1 released
bionic	dne
xenial	ignored
trusty	ignored

Known Exploits!

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/jindw/xmldom/issues/150

https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883

https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html

https://github.com/jindw/xmldom/issues/150

https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883

https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html