CVE-2021-21366

MEDIUM

xmldom <0.4.0 - Info Disclosure

Title source: llm

Description

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This is fixed in version 0.5.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

References (5)

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html

[Patch] https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135

View Patch ZIP pw:eip

[Release Notes] https://github.com/xmldom/xmldom/releases/tag/0.5.0

[Vendor Advisory] https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv

[Product] https://www.npmjs.com/package/xmldom

Scores

CVSS v3 4.3

EPSS 0.0057

EPSS Percentile 68.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-115 CWE-436

Status published

Products (3)

debian/debian_linux 10.0

npm/xmldom 0 - 0.5.0npm

xmldom_project/xmldom < 0.5.0

Published Mar 12, 2021

Tracked Since Feb 18, 2026