CVE-2023-0842
Prototype Pollution vulnerability in xml2js (npm)
What is CVE-2023-0842 About?
xml2js versions before 0.5.0 are vulnerable to Prototype Pollution, allowing an external attacker to edit or add new properties to an object. This occurs because the application does not properly validate incoming JSON keys, permitting the `__proto__` property to be manipulated. This can lead to various impacts, from denial of service to remote code execution.
Affected Software
Technical Details
The xml2js library, specifically versions prior to 0.5.0, is susceptible to a Prototype Pollution vulnerability. This arises because the JSON parsing or conversion mechanism within the library does not adequately sanitize or validate incoming JSON keys. An attacker can supply specially crafted JSON input that includes the __proto__ property. By manipulating __proto__, an attacker can inject or modify properties on the global JavaScript Object.prototype. Since most objects inherit methods and properties from Object.prototype, this allows an attacker to add or overwrite properties that will then be inherited by nearly all objects in the application, potentially leading to denial of service, unexpected behavior, or even remote code execution if sensitive functions are overwritten.
What is the Impact of CVE-2023-0842?
Successful exploitation may allow attackers to interfere with application logic, cause denial of service, bypass security controls, or potentially achieve remote code execution by manipulating global object properties.
What is the Exploitability of CVE-2023-0842?
Exploitation requires an attacker to be able to supply malicious JSON input to an application that uses a vulnerable version of xml2js. The complexity is moderate, as it involves crafting JSON payloads with the __proto__ key to inject properties. Authentication and privilege requirements depend on whether the application accepts untrusted JSON input from unauthenticated or low-privileged sources; if so, the risk is higher. This is typically a remote exploit if the JSON input is received via network requests. Key risk factors include applications parsing user-controlled JSON or XML (which xml2js converts to JSON structure) without robust validation, especially when handling data that might be merged or assigned to existing objects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-0842?
About the Fix from Resolved Security
The patch mitigates CVE-2023-0842 by replacing direct property assignments with a defineProperty function that ensures newly added object properties cannot be influenced by prototype pollution, as it creates properties using a safe, null-prototype descriptor. This eliminates the risk of prototype-manipulation attacks, closing the vulnerability where malicious input could escalate to remote code execution or denial of service via polluted object prototypes in the parser logic.
Available Upgrade Options
- xml2js
- <0.5.0 → Upgrade to 0.5.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-776f-qx25-q3cc
- https://github.com/Leonidas-from-XIV/node-xml2js
- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663
- https://fluidattacks.com/advisories/myers/
- https://nvd.nist.gov/vuln/detail/CVE-2023-0842
- https://fluidattacks.com/advisories/myers
- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html
- https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html
- https://github.com/Leonidas-from-XIV/node-xml2js/
- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5
What are Similar Vulnerabilities to CVE-2023-0842?
Similar Vulnerabilities: CVE-2020-28269 , CVE-2019-10744 , CVE-2020-13778 , CVE-2021-23358 , CVE-2020-7764
