Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Critical vulnerability in `@xmldom/xmldom@0.8.3`

See original GitHub issue

Hello, we have seen a warning via aquasec about a vulnerability in xmldom: https://avd.aquasec.com/nvd/2022/cve-2022-39353/

This is a dependency of @mswjs/interceptors, hopefully we can update xmldom from 0.8.3 to 0.8.4 to remove the issue.

See here: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
kettanaitocommented, Nov 4, 2022

The interceptors don’t have to be released at all for you to get the fix for the transient dependency of xmldom:

  • msw
    • whichever patch version of @mswjs/interceptors
      • whichever patch version of xmldom

Source

Installing msw gets you xmldom@^0.8.3, which means 0.8.x. The fix is at xmldom@0.8.5, so you will get it per semver. Just make sure you’re not hitting your package manager’s cache when reinstalling (rm -rf node_modules or --force).

0reactions
ben-wilson-peakcommented, Dec 2, 2022

For anyone who stumbles on this while looking to patch:

  "resolutions": {
    "msw/**/@mswjs/interceptors": "0.19.0"
  }
Read more comments on GitHub >

github_iconTop Results From Across the Web

Prototype Pollution in @xmldom/xmldom | CVE-2022-37616
Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing ...
Read more >
CVE @xmldom/xmldom <0.8.3 #7958 - videojs/video.js - GitHub
Description @ xmldom / xmldom has reported a CVE which results in a (successfully) failing audit pipeline in our GitLab Reduced test case ......
Read more >
Improperly Controlled Modification of Object Prototype ...
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package. Patches. Update ...
Read more >
[invalid] Prototype pollution found in dom.js · Issue #436 - GitHub
Prototype pollution vulnerability in function copy in dom.js in xmldom xmldom 0.6.0 via the p variable in dom.js. The prototype pollution ...
Read more >
CVE-2022-39353 Detail - NVD
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ... Base Score: 9.8 CRITICAL ... Denotes Vulnerable Software
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Documentation example doesn't work with TypeScript

Next page

Error [ERR_UNSUPPORTED_DIR_IMPORT] on latest version of MSW (even when the project is not "type": "module")