Miggo Logo
Miggo Vulnerability Database
CVE-2023-0842

CVE-2023-0842: xml2js is vulnerable to prototype pollution

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-0842
GHSA ID
GHSA-776f-qx25-q3cc
EPSS Score
0.4845%
CWE
CWE-1321
Published
4/5/2023
Updated
3/14/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
xml2jsnpm< 0.5.00.5.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from using {} (which inherits from Object.prototype) instead of Object.create(null) when creating parsed objects. The commit 581b19a explicitly addresses this by replacing all {} initializations with Object.create(null) in the parser's element/attribute/child object creation paths. These functions handled raw XML input without prototype validation, making them entry points for __proto__ injection in vulnerable versions (<0.5.0).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

xml*js v*rsions ***or* *.*.* *llows *n *xt*rn*l *tt**k*r to **it or *** n*w prop*rti*s to *n o*j**t. T*is is possi*l* ****us* t** *ppli**tion *o*s not prop*rly v*li**t* in*omin* JSON k*ys, t*us *llowin* t** `__proto__` prop*rty to ** **it**.

Reasoning

T** vuln*r**ility st*ms *rom usin* `{}` (w*i** in**rits *rom O*j**t.prototyp*) inst*** o* `O*j**t.*r**t*(null)` w**n *r**tin* p*rs** o*j**ts. T** *ommit ******* *xpli*itly ***r*ss*s t*is *y r*pl**in* *ll `{}` initi*liz*tions wit* `O*j**t.*r**t*(null)