[GHSA-6433-x5p4-8jc7] libxmljs vulnerable to type confusion when parsing specially crafted XML #5720
Conversation
github-actions
bot
changed the base branch from
main
to
akabarki76/advisory-improvement-5720
There was a problem hiding this comment.
Here's a professional review of the proposed changes to GHSA-6433-x5p4-8jc7 (libxmljs type confusion vulnerability):
Code Review Feedback
Change Summary:
The PR proposes removing both CVSS v3 and v4 severity scores from the advisory JSON file.
Assessment:
-
Impact Analysis:
- ❌ Problematic: Removing severity scores breaks standardized vulnerability assessment
- ℹ️ CVSS scores are critical for:
- Automated risk assessment tools
- Dependency scanning systems
- Organizational risk management processes
-
Technical Considerations:
- The original scores appear accurate for this vulnerability:
- CVSS v3.1: 8.1 HIGH (
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)- Appropriate given RCE potential on 32-bit systems
- CVSS v4: 9.2 CRITICAL (
AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H)- Reflects updated scoring for type confusion vulnerabilities
- CVSS v3.1: 8.1 HIGH (
- The original scores appear accurate for this vulnerability:
-
Suggested Improvements (if modification is needed):
"severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "additional_context": "RCE possible on 32-bit systems with XML_PARSE_HUGE" }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "temporal_scores": { "exploitability": "Functional", "remediation_level": "Official Fix" } } ]
Recommendation:
🚫 Do not merge as currently proposed. Instead:
-
Either:
- Keep existing severity scores (recommended)
- OR Update with enhanced contextual scoring as shown above
-
Additional Suggested Changes:
"affected": [ { "package": { "ecosystem": "npm", "name": "libxmljs" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ {"introduced": "0"}, {"fixed": "1.0.12"} ] } ] } ]
Rationale:
- CVSS scores provide critical risk quantification
- Removal would degrade advisory usefulness for downstream consumers
- Better to enhance than remove vulnerability metadata
Reviewer Checklist
- Verify CVSS v3.1 score matches NVD records
- Confirm fixed version (1.0.12) is accurate
- Check if any additional CWE mappings needed (CWE-843 is correct)
- Ensure references include all relevant links:
Would you like me to provide any additional analysis of the vulnerability specifics or suggested metadata improvements?
|
Hi @akabarki76, I'm closing this pull request because the only change made removes CVSS 3.1. It's OK for an advisory to have CVSS 3.1 and CVSS 4.0. The contents of the advisory are OK the way they currently are. Thank you for your interest in GHSA-6433-x5p4-8jc7 and have a good day. |
Updates
Comments
Title: libxmljs vulnerable to type confusion when parsing specially crafted XML
Description:
libxmljs is vulnerable to a type confusion vulnerability when processing malicious XML content. The issue occurs when:
attrs()on a parsed nodeattrs()Impact:
The vulnerability stems from improper type handling when manipulating node attributes, allowing memory corruption that could be exploited to achieve the above impacts.
References:
https://nvd.nist.gov/vuln/detail/CVE-2024-34391
libxmljs/libxmljs#645
https://research.jfrog.com/vulnerabilities/libxmljs-attrs-type-confusion-rce-jfsa-2024-001033988
libxmljs/libxmljs@[COMMIT_HASH] (add the actual commit hash that fixed the issue)
Affected Products:
Ecosystem: npm
Package name: libxmljs
Affected versions: <= 1.0.11
Patched versions: >= 1.0.12
Severity: Critical (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Weaknesses:
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')