CVE-2022-39353

Name of the Vulnerable Software and Affected Versions xmldom versions prior to 0.7.7 xmldom versions prior to 0.8.4 xmldom versions prior to 0.9.0-beta.4

Description The issue is related to the xmldom module, which is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. It parses XML that is not well-formed because it contains multiple top-level elements and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree. The vulnerability may allow a remote attacker to gain unauthorized access to the application by sending specially crafted data.

Recommendations Update to @xmldom/xmldom@~0.7.7 Update to @xmldom/xmldom@~0.8.4 (dist-tag latest) Update to @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next) As a temporary workaround, consider searching for elements only in the documentElement instead of the whole DOM, or reject a document with more than one childNode.