GHSA-x3cc-x39p-42qx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x3cc-x39p-42qx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-x3cc-x39p-42qx/GHSA-x3cc-x39p-42qx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x3cc-x39p-42qx
- Aliases
- Published
- 2023-06-13T12:44:34Z
- Modified
- 2023-12-19T21:11:20.545596Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
- Details
-
Impact
As a part of this vulnerability, user was able to se code using
__proto__as a tag or attribute name.const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>" const parser = new XMLParser(); let jObj = parser.parse(XMLdata); console.log(jObj.polluted) // should return hackedPatches
The problem has been patched in v4.1.2
Workarounds
User can check for "proto" in the XML string before parsing it to the parser.
References
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
- Database specific
{ "nvd_published_at": "2023-12-12T17:15:07Z", "cwe_ids": [ "CWE-1321" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-06-13T12:44:34Z" }- References
-
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx
- https://nvd.nist.gov/vuln/detail/CVE-2023-26920
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804
- https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
- https://github.com/NaturalIntelligence/fast-xml-parser
- https://github.com/advisories/GHSA-793h-6f7r-6qvm
Affected packages
npm / fast-xml-parser
Package
- Name
- fast-xml-parser
- View open source insights on deps.dev
- Purl
- pkg:npm/fast-xml-parser