Source: node-xmldom Version: 0.8.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/jindw/xmldom/issues/150 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-xmldom. CVE-2022-39353[0]: | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) | `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not | well-formed because it contains multiple top level elements, and adds | all root nodes to the `childNodes` collection of the `Document`, | without reporting any error or throwing. This breaks the assumption | that there is only a single root node in the tree, which led to | issuance of CVE-2022-39299 as it is a potential issue for dependents. | Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag | latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a | workaround, please one of the following approaches depending on your | use case: instead of searching for elements in the whole DOM, only | search in the `documentElement`or reject a document with a document | that has more then 1 `childNode`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39353 https://www.cve.org/CVERecord?id=CVE-2022-39353 [1] https://github.com/jindw/xmldom/issues/150 [2] https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
