Sudistark

Name of the Vulnerable Software and Affected Versions: fast-xml-parser versions prior to 4.1.2 Description: The issue allows for Prototype Pollution via the ` proto ` variable. This can be exploited by including ` proto ` as a tag or attribute name in an XML string. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. Technical details include the use of ` proto ` in XML strings, which can lead to Prototype Pollution. For example, an attacker could use the `/api/v1/parser` endpoint with a malicious XML string containing ` proto ` to exploit the issue. Vulnerable parameters or variables include ` proto `. Function names such as `XMLParser()` are also affected. Recommendations: For fast-xml-parser versions prior to 4.1.2, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider checking for `" proto "` in the XML string before parsing it to the parser. Restrict access to the `XMLParser()` function to minimize the risk of exploitation. Avoid using the ` proto ` variable in XML strings until the issue is resolved.