xmldom is vulnerable to prototype pollution. The vulnerability exists because of lack of validations in copy
function in dom.js
which allows an attacker to inject malicious characteristics to add new values to a javascript application object prototype,overwriting or contaminating the base object.
users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf
dl.acm.org/doi/abs/10.1145/3488932.3497769
dl.acm.org/doi/pdf/10.1145/3488932.3497769
github.com/advisories/GHSA-9pgh-qqpf-7wqj
github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
github.com/xmldom/xmldom/commit/1f20aee8ef1a8f3964add1a188f723bbc54862a0
github.com/xmldom/xmldom/commit/6956ec406fd4658dfb028a327c7a39238b24c3cd
github.com/xmldom/xmldom/commit/7c0d4b7fbf74079060a2f135a369adeeccaf4b18
github.com/xmldom/xmldom/issues/436
github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
github.com/xmldom/xmldom/issues/436#issuecomment-1327776560
github.com/xmldom/xmldom/pull/437
github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
lists.debian.org/debian-lts-announce/2022/10/msg00023.html