Snyk vulnerability from xmldom

Question

Snyk vulnerability from xmldom

shresthasamir4119 opened this issue 3 years ago · 2 comments

xmldom XML External Entity (XXE) Injection
Introduced through: saml2-js@3.0.1
Fixed in: xmldom@0.5.0

Introduced through: saml2-js@3.0.1 › xmldom@0.4.0

Overview
xmldom is an A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Does not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

Answer 1 · 2022-01-20T10:51:01.000Z

This cannot be fixed by simply upgrading the dependency to 0.5.0.

Snyk has also identified issues in xmldom 0.6.0

The maintainer of xmldom is no longer able to publish to npm as xmldom but @xmldom/xmldom

The latest version of @xmldom/xmldom has no reported vulnerabilities but it is not possible to manually install this dependency prior to installing saml2-js. The dependency should be changed to @xmldom/xmldom for which the current version is 0.8.0.

There is already a pull request for this which needs to be released
#245

Answer 2 · 2022-10-15T03:00:50.000Z

Addressed in #261.