GHSA-776f-qx25-q3cc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-776f-qx25-q3cc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-776f-qx25-q3cc/GHSA-776f-qx25-q3cc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-776f-qx25-q3cc
- Aliases
- Published
- 2023-04-05T21:30:24Z
- Modified
- 2024-03-14T21:47:26Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- xml2js is vulnerable to prototype pollution
- Details
-
xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the
__proto__property to be edited. - Database specific
{ "nvd_published_at": "2023-04-05T20:15:00Z", "cwe_ids": [ "CWE-1321" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-04-07T21:00:54Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-0842
- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663
- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5
- https://fluidattacks.com/advisories/myers
- https://github.com/Leonidas-from-XIV/node-xml2js
- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html
Affected packages
npm / xml2js
Package
- Name
- xml2js
- View open source insights on deps.dev
- Purl
- pkg:npm/xml2js