CVE-2023-26920

Name of the Vulnerable Software and Affected Versions: fast-xml-parser versions prior to 4.1.2

Description: The issue allows for Prototype Pollution via the proto variable. This can be exploited by including proto as a tag or attribute name in an XML string. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. Technical details include the use of proto in XML strings, which can lead to Prototype Pollution. For example, an attacker could use the /api/v1/parser endpoint with a malicious XML string containing proto to exploit the issue. Vulnerable parameters or variables include proto. Function names such as XMLParser() are also affected.

Recommendations: For fast-xml-parser versions prior to 4.1.2, update to version 4.1.2 or later to resolve the issue. As a temporary workaround, consider checking for " proto " in the XML string before parsing it to the parser. Restrict access to the XMLParser() function to minimize the risk of exploitation. Avoid using the proto variable in XML strings until the issue is resolved.