9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-37616

GHSA ID

GHSA-9pgh-qqpf-7wqj

EPSS Score

CWE

CWE-1321

Published

10/11/2022

Updated

2/2/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-37616

CVE-2022-37616:
Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Withdrawn

This advisory has been withdrawn because the maintainers of @xmldom/xmldom and multiple third parties disputed the validity of the issue. Attempts to create or replicate a proof of concept have been unsuccessful.

Original Description

Impact

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package.

Patches

Update to @xmldom/xmldom@~0.7.6, @xmldom/xmldom@~0.8.3 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.2 (dist-tag next).

Workarounds

None

References

https://github.com/xmldom/xmldom/pull/437

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org
Add information to https://github.com/xmldom/xmldom/issues/436

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2022-37616

GHSA ID

GHSA-9pgh-qqpf-7wqj

EPSS Score

CWE

CWE-1321

Published

10/11/2022

Updated

2/2/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
xmldom	npm	<= 0.6.0
@xmldom/xmldom	npm	= 0.9.0-beta.1	0.9.0-beta.2
@xmldom/xmldom	npm	>= 0.8.0, < 0.8.3	0.8.3
@xmldom/xmldom	npm	< 0.7.6	0.7.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability report explicitly identifies the 'copy' function in dom.js as the source of prototype pollution. The function iterates over all enumerable properties (including prototype chain properties) via 'for (var p in src)' without hasOwnProperty checks. The fix in PR #437 added hasOwnProperty checks to prevent this, confirming the vulnerability. The code snippets from dom.js show the unpatched version of this function, and multiple advisories reference this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn T*is **visory **s ***n wit**r*wn ****us* t** m*int*in*rs o* `@xml*om/xml*om` *n* multipl* t*ir* p*rti*s *isput** t** v*li*ity o* t** issu*. *tt*mpts to *r**t* or r*pli**t* * proo* o* *on**pt **v* ***n unsu***ss*ul. ## Ori*in*l **s*ript

Reasoning

T** vuln*r**ility r*port *xpli*itly i**nti*i*s t** '*opy' *un*tion in *om.js *s t** sour** o* prototyp* pollution. T** *un*tion it*r*t*s ov*r *ll *num*r**l* prop*rti*s (in*lu*in* prototyp* ***in prop*rti*s) vi* '*or (v*r p in sr*)' wit*out **sOwnProp

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-37616: Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Withdrawn

Original Description

Impact

Patches

Workarounds

References

For more information

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-37616:
Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Vulnerability Intelligence
Miggo AI