Tharvid

**Name of the Vulnerable Software and Affected Versions** fast-xml-parser versions prior to 5.7.0 **Description** XMLBuilder fails to escape the "-->" sequence in comment content and the ">>" sequence in CDATA sections when generating XML from JavaScript objects. This flaw enables XML injection if user-controlled data is included in comments or CDATA elements, which can result in cross-site scripting (XSS), SOAP injection, or data manipulation. **Recommendations** Update to version 5.7.0.

**Name of the Vulnerable Software and Affected Versions** @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions prior to 0.6.0 **Description** The software allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. This occurs during the DOM construction and serialization flow for comment nodes when the `createComment()` function is called; the supplied string is stored as-is and later concatenated with XML comment delimiters during serialization. Because XML comments are syntax-sensitive, an attacker can provide input containing a sequence that closes the comment, allowing them to terminate the comment early and inject arbitrary XML nodes into the serialized output. This can enable an attacker to alter the meaning and structure of generated XML documents, affecting workflows that store, forward, sign, or parse the resulting XML, such as configuration or policy documents. **Recommendations** For @xmldom/xmldom versions prior to 0.8.13 and 0.9.10, update to version 0.8.13 or 0.9.10 and explicitly pass the `{ requireWellFormed: true }` option to the `serializeToString()` function to enable protection. For xmldom versions prior to 0.6.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions prior to 0.6.0 **Description** The package serializes `DocumentType` node fields (`internalSubset`, `publicId`, and `systemId`) verbatim without escaping or validation. When these fields are set programmatically via the `createDocumentType()` function or direct property writes using attacker-controlled strings, the `XMLSerializer.serializeToString` method can produce output where the DOCTYPE declaration is terminated prematurely, allowing arbitrary markup to appear outside of it. Specifically, injecting `]>` into `internalSubset` or `>` into `systemId` can close the DOCTYPE early, while manipulating `publicId` can break the quoting context to inject fake SYSTEM entries. This can lead to XXE-class attacks if downstream XML parsers re-parse the output with entity expansion enabled. **Recommendations** Update @xmldom/xmldom to versions 0.8.13 or 0.9.10. Update xmldom to a version later than 0.6.0. As a mitigation, pass the `{ requireWellFormed: true }` option to the `serializeToString()` method to enable validation of `DocumentType` fields and throw an `InvalidStateError` upon detecting injection sequences.

**Name of the Vulnerable Software and Affected Versions** @xmldom/xmldom versions prior to 0.8.13 @xmldom/xmldom versions prior to 0.9.10 xmldom versions 0.6.0 and earlier **Description** The software allows attacker-controlled processing instruction (PI) data to be serialized into XML without validating or neutralizing the PI-closing sequence `?>`. This occurs because the `createProcessingInstruction()` function stores the `data` variable directly without validation, and the serializer subsequently concatenates this data verbatim. An attacker can use the `?>` sequence to terminate the processing instruction prematurely and inject arbitrary XML nodes into the serialized output, potentially altering the structure and meaning of the generated XML documents. **Recommendations** For @xmldom/xmldom versions prior to 0.8.13 and 0.9.10, update to version 0.8.13 or 0.9.10 and explicitly pass the `{ requireWellFormed: true }` option to the `serializeToString()` function to enable validation that prevents the injection of `?>` sequences. For xmldom versions 0.6.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.