-
Notifications
You must be signed in to change notification settings - Fork 596
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ Security] [CVE-2023-0842] xml2js is vulnerable to prototype pollution #664
Comments
@lukewang2018 Upgrade |
@MChuduk Thanks a lot for your quick fixing! |
@lukewang2018 You're welcome.
|
Due to the tags in GitHub, npm/yarn/GitHub might be confused as to what the latest non-beta release is. |
I tried to use version 0.5.0 in package.json and installed but still observing the security vulnerability @Leonidas-from-XIV Can you please advise |
Hi @sachindkagrawal18 I had the same problem, as of NPM cli 8.3 there is a new property called overrides that can do the trick while the new version is properly released.
That worked for me :D |
Bro dependabot was annoying me this whole time just because of this! haha |
@Leonidas-from-XIV any chance of backporting the fix to I know I can force a newer version, but it's hard to say if that's safe without a changelog of some sorts. And regardless, forcing every consumer (14M weekly downloads) to do so seems a bit much. |
@SimenB I don't think it's possible, as the fix is a backwards-incompatible change (#603), at least depending on how you use the object that gets returned (if you just use it as a data object . I first thought it could be mitigated in an easier way to stay in the 0.4 series, but this looks like a game of whack-a-mole. If you have a PR that would fix the issue in a compatible way, I am perfectly happy to add another release to the 0.4 series. But you can use overrides to force dependencies to use newer versions, maybe that helps? |
[ Security] [CVE-2023-0842] xml2js is vulnerable to prototype pollution
Can someone help fix this security issue? Thanks.
Refer to GHSA-776f-qx25-q3cc
Affected versions
<= 0.4.23
Description
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.
References
The text was updated successfully, but these errors were encountered: