GMS-2022-6112: Duplicate of ./npm/@xmldom/xmldom/CVE-2022-39353.yml
Impact
xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes
collection of the Document
, without reporting any error or throwing.
This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.
Patches
Update to @xmldom/xmldom@~0.7.7
, @xmldom/xmldom@~0.8.4
(dist-tag latest
) or @xmldom/xmldom@>=0.9.0-beta.4
(dist-tag next
).
Workarounds
One of the following approaches might help, depending on your use case:
- Instead of searching for elements in the whole DOM, only search in the
documentElement
. - Reject a document with a document that has more then 1
childNode
.
References
For more information
If you have any questions or comments about this advisory:
- Email us at security@xmldom.org
References
Detect and mitigate GMS-2022-6112 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →