VDB

CVE-2022-39353

CVE-2022-39353 PUBLISHED CVSS 9.399999618530273 CRITICAL

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.

EPSS 1.02% · 77.6th percentile

Risk Scores

CVSS 3.1
9.399999618530273
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score
1.02%
77.6th percentile

Affected Products

VendorProductVersions
xmldomxmldom>= 0.9.0-beta.1, < 0.9.0-beta.4, >= 0.8.0, < 0.8.4, *
npmxmldom0
xmldom_projectxmldom0.9.0, 0.9.0, 0
debiandebian_linux10.0
xmldomxmldom0.9.0-beta.1, 0.8.0, 0

Exploit Intelligence

Timeline

  • Nov 1, 2022 CVE Published
  • Nov 3, 2022 EPSS Score
  • Dec 16, 2022 EPSS Score
  • Jan 28, 2023 EPSS Score
  • Mar 13, 2023 EPSS Score
  • Apr 25, 2023 EPSS Score
  • Jun 7, 2023 EPSS Score
  • Jul 20, 2023 EPSS Score
  • Sep 2, 2023 EPSS Score
  • Oct 15, 2023 EPSS Score
  • Jan 9, 2024 EPSS Score
  • Feb 22, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›