CVE-2023-26920
prototype pollution vulnerability in fast-xml-parser (npm)
What is CVE-2023-26920 About?
This vulnerability involves prototype pollution in `fast-xml-parser` where an attacker can use `__proto__` as a tag or attribute name in XML data. This allows for injection of properties into JavaScript's `Object.prototype`, which can lead to arbitrary code execution or denial of service. Exploitation is demonstrated via a simple XML payload.
Affected Software
Technical Details
The fast-xml-parser library, specifically when parsing XML data, fails to properly sanitize or handle XML elements or attributes named __proto__. When an XML string containing <__proto__><polluted>hacked</polluted></__proto__> is parsed by XMLParser().parse(), the polluted property with the value "hacked" is injected directly into Object.prototype. This constitutes a prototype pollution vulnerability, allowing an attacker to modify the behavior of all JavaScript objects by injecting arbitrary properties into their common prototype chain, potentially leading to remote code execution or other undesirable outcomes in the application using the parsed data.
What is the Impact of CVE-2023-26920?
Successful exploitation may allow attackers to inject properties into `Object.prototype`, potentially leading to arbitrary code execution, denial of service, or other application logic corruption.
What is the Exploitability of CVE-2023-26920?
Exploitation of this prototype pollution vulnerability requires the attacker to submit specially crafted XML data to an application that uses fast-xml-parser. The complexity is low, as the payload is simple (<__proto__><polluted>value</polluted></__proto__>). No authentication is required if the XML input is processed from untrusted sources, making it a remote attack vector. The primary risk factor is applications that parse untrusted XML input using affected versions of fast-xml-parser without implementing input validation or sanitization against __proto__ property names.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26920?
Available Upgrade Options
- fast-xml-parser
- <4.1.2 → Upgrade to 4.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-x3cc-x39p-42qx
- https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx
- https://github.com/advisories/GHSA-793h-6f7r-6qvm
- https://github.com/advisories/GHSA-793h-6f7r-6qvm
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804
- https://github.com/NaturalIntelligence/fast-xml-parser
- https://nvd.nist.gov/vuln/detail/CVE-2023-26920
- https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
What are Similar Vulnerabilities to CVE-2023-26920?
Similar Vulnerabilities: CVE-2020-28267 , CVE-2021-23420 , CVE-2020-7798 , CVE-2021-3804 , CVE-2022-26279
