Prototype Pollution Vulnerability in xmldom Package by xmldom
CVE-2022-37616

9.8CRITICAL

Key Information:

Vendor: Xmldom Project
Status: Xmldom
Vendor: CVE Published:; 11 October 2022

🔔 Create Xmldom Project Vulnerability Alert

What is CVE-2022-37616?

The xmldom package for Node.js contains a prototype pollution vulnerability in its copy function located in dom.js. This flaw allows an attacker to manipulate the object's prototype, potentially leading to unauthorized access or alteration of data. Although the vendor is evaluating the report, third-party sources recognize the validity of the risk posed by such prototype injections when target objects are compromised.

References

https://github.com/xmldom/xmldom/blob/bc36efddf9948aba156...

https://github.com/xmldom/xmldom/issues/436

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 11, 2022
Vulnerability Reserved
Aug 8, 2022

CVE-2022-37616 Data

JSON