CVE-2021-32796
Improper Output Neutralization vulnerability in xmldom (npm)
What is CVE-2021-32796 About?
`xmldom` versions 0.6.0 and older suffer from an Improper Output Neutralization vulnerability where special characters are not correctly escaped during the serialization of XML elements. This can lead to unexpected syntactic changes in XML documents, potentially disrupting downstream applications. Exploitation occurs when specific XML elements are removed from their parent and then serialized.
Affected Software
- xmldom
- <=0.6.0
- @xmldom/xmldom
- <0.7.0
Technical Details
The vulnerability in xmldom versions 0.6.0 and older is an Improper Output Neutralization issue. When XML elements are removed from their ancestor (i.e., detached from the DOM tree) and then serialized back into a string, the library fails to correctly escape certain special characters that may be present within these elements. This leads to the generation of malformed or syntactically altered XML output. Downstream applications that parse or process this incorrectly serialized XML may misinterpret its structure or content, potentially leading to unexpected application behavior, data corruption, or further vulnerabilities like injection attacks depending on how the malformed XML is handled.
What is the Impact of CVE-2021-32796?
Successful exploitation may lead to unexpected changes in the syntax and structure of XML documents, which can cause downstream applications to misinterpret data, result in data corruption, or introduce parsing errors that could potentially be leveraged for other attacks.
What is the Exploitability of CVE-2021-32796?
Exploitation of this vulnerability requires an attacker to be able to supply XML input that is subsequently processed by xmldom, specifically involving elements that are removed from their original ancestor and then serialized. The complexity is moderate, as it depends on the application's XML processing logic. There are no explicit authentication or privilege requirements to trigger the flaw. The vulnerability could be exploited remotely if the application accepts untrusted XML input from external sources. The primary risk factor is applications that process unvalidated XML documents using affected xmldom versions, especially those that involve manipulating detached XML nodes and then serializing them.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32796?
Available Upgrade Options
- @xmldom/xmldom
- <0.7.0 → Upgrade to 0.7.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://mattermost.com/blog/securing-xml-implementations-across-the-web
- https://nvd.nist.gov/vuln/detail/CVE-2021-32796
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities
- https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b
- https://www.npmjs.com/package/@xmldom/xmldom
- https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b
- https://github.com/xmldom/xmldom
- https://osv.dev/vulnerability/GHSA-5fg8-2547-mr8q
- https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q
What are Similar Vulnerabilities to CVE-2021-32796?
Similar Vulnerabilities: CVE-2020-7734 , CVE-2020-13768 , CVE-2020-15383 , CVE-2020-25211 , CVE-2020-28928
