CVE-2022-21144: Denial of service vulnerability exists in libxmljs

May 1, 2022 (updated August 8, 2023)

This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument’s toString value is not a Function object V8 will crash.

References

github.com/advisories/GHSA-773h-w45w-f2f9
github.com/libxmljs/libxmljs/commit/2501807bde9b38cfaed06d1e140487516d91379d
github.com/libxmljs/libxmljs/pull/594
nvd.nist.gov/vuln/detail/CVE-2022-21144
snyk.io/vuln/SNYK-JS-LIBXMLJS-2348756

Detect and mitigate CVE-2022-21144 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →