CVE-2023-0842

MEDIUM

Xml2js < 0.5.0 - Prototype Pollution

Title source: rule

Description

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

References (4)

[Release Notes] https://github.com/Leonidas-from-XIV/node-xml2js/releases/tag/0.6.2

[Exploit, Third Party Advisory] https://fluidattacks.com/advisories/myers/

[Product] https://github.com/Leonidas-from-XIV/node-xml2js/

View Writeup ZIP pw:eip

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html

Scores

CVSS v3 5.3

EPSS 0.0035

EPSS Percentile 57.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

npm/xml2js 0 - 0.5.0npm

xml2js_project/xml2js 0.4.23

Published Apr 05, 2023

Tracked Since Feb 18, 2026