Mark Gollnick

**Name of the Vulnerable Software and Affected Versions** xmldom versions prior to 0.7.7 xmldom versions prior to 0.8.4 xmldom versions prior to 0.9.0-beta.4 **Description** The issue is related to the xmldom module, which is a pure JavaScript W3C standard-based XML DOM Level 2 Core `DOMParser` and `XMLSerializer` module. It parses XML that is not well-formed because it contains multiple top-level elements and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree. The vulnerability may allow a remote attacker to gain unauthorized access to the application by sending specially crafted data. **Recommendations** Update to @xmldom/xmldom@~0.7.7 Update to @xmldom/xmldom@~0.8.4 (dist-tag latest) Update to @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next) As a temporary workaround, consider searching for elements only in the `documentElement` instead of the whole DOM, or reject a document with more than one `childNode`.