CVE-2022-39353Improper Validation of Consistency within Input in Project Xmldom

CWE-1288Improper Validation of Consistency within InputCWE-20Improper Input Validation9 documents7 sources
Severity
9.8CRITICALNVD
GHSA8.1OSV8.1OSV4.3
EPSS
1.0%
top 23.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Xmldom Project XmldomDebian Node-xmldomXmldom+6 more
Timeline
PublishedNov 2
Latest updateMay 24

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

debiandebian/node-xmldom< node-xmldom 0.8.6-1 (bookworm)
npmxmldom/xmldom0.8.00.8.4+3
NVDxmldom_project/xmldom0.7.00.7.7+3

Also affects: Debian Linux 10.0

🔴Vulnerability Details

4
OSV
node-xmldom vulnerabilities2023-05-24
OSV
CVE-2022-39353: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module2022-11-02
GHSA
xmldom allows multiple root nodes in a DOM2022-11-01
OSV
xmldom allows multiple root nodes in a DOM2022-11-01

📋Vendor Advisories

4
Ubuntu
xmldom vulnerabilities2023-05-24
Microsoft
xmldom allows multiple root nodes in a DOM2022-11-08
Red Hat
xmldom: Allows multiple root elements in a DOM tree2022-11-02
Debian
CVE-2022-39353: node-xmldom - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser...2022
CVE-2022-39353 — Xmldom Project Xmldom vulnerability | cvebase