Skip to content

Malicious Package in body-parse-xml

Critical severity GitHub Reviewed Published Sep 3, 2020 • Updated Sep 30, 2021

Package

npm body-parse-xml (npm)

Affected versions

>= 0.0.0

Patched versions

None

Description

This package contained malicious code. The package uploaded system information such as OS and hostname to a remote server.

Recommendation

Remove the package from your environment. There are no indications of further compromise.

References

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-jcmh-9fvm-j39w

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.