Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

2022-10-1120:42:57

CWE-1321

GitHub Advisory Database

github.com

prototype pollution

xmldom

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

69.2%

JSON

Withdrawn

This advisory has been withdrawn because the maintainers of @xmldom/xmldom and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful.

Original Description

Impact

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.

Patches

Update to @xmldom/xmldom@~0.7.6, @xmldom/xmldom@~0.8.3 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.2 (dist-tag next).

Workarounds

None

References

https://github.com/xmldom/xmldom/pull/437

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]
Add information to https://github.com/xmldom/xmldom/issues/436

Affected configurations

Vulners

Node

xmldomxmldomRange<0.7.6

xmldomxmldomRange0.8.0–0.8.3

xmldomxmldomMatch0.9.0-beta.1

xmldomxmldomRange≤0.6.0

VendorProductVersionCPE
xmldomxmldom*cpe:2.3:a:xmldom:xmldom:*:*:*:*:*:*:*:*
xmldomxmldom0.9.0-beta.1cpe:2.3:a:xmldom:xmldom:0.9.0-beta.1:*:*:*:*:*:*:*