xmldom@0.1.10 vulnerabilities

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Direct Vulnerabilities

Known vulnerabilities in the xmldom package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Improper Input Validation

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Improper Input Validation due to parsing XML that is not well-formed, and contains multiple top-level elements. All the root nodes are being added to the childNodes collection of the Document, without reporting or throwing any error.

How to fix Improper Input Validation?

There is no fixed version for xmldom.

*
  • H
Prototype Pollution

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Prototype Pollution through the copy() function in dom.js. Exploiting this vulnerability is possible via the p variable.

DISPUTED This vulnerability has been disputed by the maintainers of the package. Currently the only viable exploit that has been demonstrated is to pollute the target object (rather then the global object which is generally the case for Prototype Pollution vulnerabilities) and it is yet unclear if this limited attack vector exposes any vulnerability in the context of this package.

See the linked GitHub Issue for full details on the discussion around the legitimacy and potential revocation of this vulnerability.

How to fix Prototype Pollution?

There is no fixed version for xmldom.

>=0.0.0
  • M
Improper Input Validation

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to Improper Input Validation. It does not correctly escape special characters when serializing elements are removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Note: Customers who use "xmldom" package, should use "@xmldom/xmldom" instead, as "xmldom" is no longer maintained.

How to fix Improper Input Validation?

There is no fixed version for xmldom.

*
  • M
XML External Entity (XXE) Injection

xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Does not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

How to fix XML External Entity (XXE) Injection?

Upgrade xmldom to version 0.5.0 or higher.

<0.5.0