CVE-2024-34391

Name of the Vulnerable Software and Affected Versions libxmljs versions <= 1.0.11

Description The issue is related to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of attrs() that was called on a parsed node. This might lead to denial of service on both 32-bit and 64-bit systems, data leak, infinite loop, and remote code execution on 32-bit systems with the XML PARSE HUGE flag enabled.

Recommendations For libxmljs versions <= 1.0.11, update to a patched version when available. As a temporary workaround, consider limiting untrusted XML parsing to minimize the risk of exploitation. Restrict access to the attrs() function in the affected libxmljs module until the issue is resolved. Avoid using the attrs() function on untrusted input until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.