CVE-2021-21366
XML Processing vulnerability in xmldom (npm)
What is CVE-2021-21366 About?
The xmldom package (versions 0.4.0 and older) is vulnerable to unexpected syntactic changes when repeatedly parsing and serializing maliciously crafted XML documents. This can lead to data integrity issues or security bypasses in downstream applications that rely on consistent XML processing. Exploitation requires an attacker to provide specially crafted XML input.
Affected Software
Technical Details
The xmldom library, specifically versions 0.4.0 and older, does not correctly preserve system identifiers, Formal Public Identifiers (FPIs), or namespaces during repeated parse-and-serialize operations. If a maliciously crafted XML document is supplied, parsing it with xmldom and then serializing it back to XML can result in syntactic changes to the document's structure or content related to these identifiers and namespaces. This inconsistency means that applications expecting a specific structure or relying on these identifiers for security or processing logic might behave unpredictably, process incorrect data, or fail to enforce intended security policies, leading to potential data corruption or security bypasses.
What is the Impact of CVE-2021-21366?
Successful exploitation may allow attackers to cause unexpected syntactic changes in XML documents, leading to data integrity issues, security policy bypasses, or application misbehavior that relies on accurate XML processing.
What is the Exploitability of CVE-2021-21366?
Exploitation requires an attacker to provide maliciously crafted XML documents to an application using the vulnerable xmldom library. The complexity is moderate, as crafting documents that specifically trigger this preservation issue might require some understanding of XML parsing and serialization. There are no explicit authentication or privilege requirements noted, suggesting it could be exploited remotely if the application accepts external XML input. The primary constraint is the attacker's ability to influence the XML documents processed by the application. Risk factors include web applications that parse user-uploaded or externally sourced XML.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-21366?
Available Upgrade Options
- xmldom
- <0.5.0 → Upgrade to 0.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/xmldom/xmldom/releases/tag/0.5.0
- https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
- https://www.npmjs.com/package/xmldom
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
- https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
- https://github.com/xmldom/xmldom/releases/tag/0.5.0
- https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
- https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
- https://osv.dev/vulnerability/GHSA-h6q6-9hqw-rwfv
What are Similar Vulnerabilities to CVE-2021-21366?
Similar Vulnerabilities: CVE-2020-25211 , CVE-2019-14439 , CVE-2018-8037 , CVE-2017-15060 , CVE-2016-5694
