CVE-2021-32796

Misinterpretation of malicious XML input in xmldom

CVSS 6.5 MEDIUMEPSS 1.3%CWE-116

In short

The xmldom library fails to properly escape special characters when removing XML elements from their parent structure, which can cause malicious XML input to be misinterpreted and potentially alter how downstream applications process the data.

Technical detail

xmldom ≤0.6.0 improperly escapes special characters during serialization of detached XML nodes, allowing an attacker to craft malicious XML documents that undergo unexpected syntactic transformations when processed by dependent applications; exploitation requires the application to parse and serialize untrusted XML content.

Summary generated and translated by AI from the official description.

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

xmldom · xmldom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/