Miggo Logo
Miggo Vulnerability Database
CVE-2022-21144

CVE-2022-21144:
Denial of service vulnerability exists in libxmljs

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-21144
GHSA ID
GHSA-773h-w45w-f2f9
EPSS Score
0.6128%
CWE
CWE-20
Published
5/3/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
libxmljsnpm< 0.19.80.19.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the XML/HTML parsing functions' failure to validate() input types. The GitHub patch shows these functions were modified to add explicit checks for string/buffer inputs, and the CVE description explicitly mentions parseXml as the vulnerable entry point. The pre-patch code paths for both FromHtml and FromXml in xml_document.cc contained the unsafe input handling logic that led to the crash scenario.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li*xmljs provi**s li*xml *in*in*s *or v* j*v*s*ript *n*in*. T*is *****ts *ll v*rsions o* p**k*** li*xmljs. W**n invokin* t** li*xmljs.p*rs*Xml *un*tion wit* * non-*u***r *r*um*nt t** V* *o** will *tt*mpt invokin* t** .toStrin* m*t*o* o* t** *r*um*nt.

Reasoning

T** vuln*r**ility st*ms *rom t** XML/*TML p*rsin* *un*tions' **ilur* to `v*li**t*()` input typ*s. T** *it*u* p*t** s*ows t**s* *un*tions w*r* mo*i*i** to *** *xpli*it ****ks *or strin*/*u***r inputs, *n* t** *V* **s*ription *xpli*itly m*ntions `p*rs*