Critical vulnerability in `@xmldom/xmldom@0.8.3`
See original GitHub issueHello, we have seen a warning via aquasec about a vulnerability in xmldom
: https://avd.aquasec.com/nvd/2022/cve-2022-39353/
This is a dependency of @mswjs/interceptors
, hopefully we can update xmldom
from 0.8.3
to 0.8.4
to remove the issue.
See here: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
Issue Analytics
- State:
- Created a year ago
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Prototype Pollution in @xmldom/xmldom | CVE-2022-37616
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing ...
Read more >CVE @xmldom/xmldom <0.8.3 #7958 - videojs/video.js - GitHub
Description @ xmldom / xmldom has reported a CVE which results in a (successfully) failing audit pipeline in our GitLab Reduced test case ......
Read more >Improperly Controlled Modification of Object Prototype ...
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package. Patches. Update ...
Read more >[invalid] Prototype pollution found in dom.js · Issue #436 - GitHub
Prototype pollution vulnerability in function copy in dom.js in xmldom xmldom 0.6.0 via the p variable in dom.js. The prototype pollution ...
Read more >CVE-2022-39353 Detail - NVD
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ... Base Score: 9.8 CRITICAL ... Denotes Vulnerable Software
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The interceptors don’t have to be released at all for you to get the fix for the transient dependency of
xmldom
:@mswjs/interceptors
xmldom
—Source
Installing
msw
gets youxmldom@^0.8.3
, which means0.8.x
. The fix is atxmldom@0.8.5
, so you will get it per semver. Just make sure you’re not hitting your package manager’s cache when reinstalling (rm -rf node_modules
or--force
).For anyone who stumbles on this while looking to patch: