CVE-2021-21366

Misinterpretation of malicious XML input

CVSS 4.3 MEDIUMEPSS 1.3%CWE-115 CWE-436

In short

The xmldom library doesn't properly handle specially crafted XML documents when parsing and converting them back to text, which can cause unexpected changes in the document structure. This could allow an attacker to alter XML content in ways that bypass security checks in applications using this library.

Technical detail

xmldom ≤0.4.0 fails to correctly preserve system identifiers, FPIs, and namespaces during repeated parse-serialize cycles on maliciously crafted XML. An unauthenticated attacker can supply malicious XML input that, when processed by vulnerable downstream applications, undergoes syntactic transformation that may circumvent validation logic or security policies (CWE-115: Misinterpreted Input, CWE-436: Interpretation Conflict).

Summary generated and translated by AI from the official description.

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected products

xmldom · xmldom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135 https://github.com/xmldom/xmldom/releases/tag/0.5.0 https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html https://www.npmjs.com/package/xmldom