CVE-2022-39353
XML Parsing vulnerability in xmldom (npm)
What is CVE-2022-39353 About?
This vulnerability in xmldom allows parsing of malformed XML with multiple top-level elements without error, breaking the assumption of a single root node. This can enable further vulnerabilities, such as information disclosure or denial of service, if subsequent processing relies on valid XML structure. Exploitation can be achieved by supplying specially crafted XML input.
Affected Software
- xmldom
- <=0.6.0
- @xmldom/xmldom
- >0.9.0-beta.1, <0.9.0-beta.4
- >0.8.0, <0.8.4
- <0.7.7
Technical Details
The xmldom library, specifically in versions prior to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4, and @xmldom/xmldom@>=0.9.0-beta.4, does not enforce the well-formedness rule of having a single root element in an XML document. Instead, when presented with XML containing multiple top-level elements, it adds all these root nodes to the childNodes collection of the Document object without reporting an parsing error. This behavior violates the standard XML document model and can lead to unexpected program flow in applications that assume a single root, potentially enabling issues like those seen in CVE-2022-39299 or other logic flaws.
What is the Impact of CVE-2022-39353?
Successful exploitation may allow attackers to bypass security checks, corrupt data structures, or trigger unexpected application behavior leading to information disclosure or denial of service.
What is the Exploitability of CVE-2022-39353?
Exploitation relies on an attacker providing malformed XML input to an application that uses the vulnerable xmldom library. The complexity is low as it only requires crafting a specific XML payload. There are no explicit authentication or privilege requirements for exploitation, as it depends on whether the application accepts untrusted XML input from an unauthenticated or low-privileged source. This can be a remote vulnerability if the XML input is received via network requests. Key risk factors include external-facing applications that parse XML from untrusted sources without robust input validation, and applications that subsequently process the DOM assuming a single root node, making them susceptible to logical flaws.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-39353?
Available Upgrade Options
- @xmldom/xmldom
- <0.7.7 → Upgrade to 0.7.7
- @xmldom/xmldom
- >0.8.0, <0.8.4 → Upgrade to 0.8.4
- @xmldom/xmldom
- >0.9.0-beta.1, <0.9.0-beta.4 → Upgrade to 0.9.0-beta.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/xmldom/xmldom/commit/52a708360c35aa160fcca8621720d71fd0f95f1a
- https://github.com/xmldom/xmldom/releases/tag/0.7.7
- https://github.com/xmldom/xmldom/commit/c02f786216bed70825f9a351c65e61500f51e931
- https://nvd.nist.gov/vuln/detail/CVE-2022-39353
- https://github.com/xmldom/xmldom
- https://github.com/jindw/xmldom/issues/150
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
- https://github.com/xmldom/xmldom/releases/tag/0.8.4
- https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
What are Similar Vulnerabilities to CVE-2022-39353?
Similar Vulnerabilities: CVE-2022-39299 , CVE-2016-4447 , CVE-2019-17558 , CVE-2017-1000185 , CVE-2018-1000001
