fast-xml-parser vulnerable to Prototype Pollution through tag or attribute name
Moderate severity
GitHub Reviewed
Published
Jun 11, 2023
in
NaturalIntelligence/fast-xml-parser
•
Updated Dec 14, 2023
Description
Published to the GitHub Advisory Database
Jun 13, 2023
Reviewed
Jun 13, 2023
Published by the National Vulnerability Database
Dec 12, 2023
Last updated
Dec 14, 2023
Impact
As a part of this vulnerability, user was able to se code using
__proto__
as a tag or attribute name.Patches
The problem has been patched in v4.1.2
Workarounds
User can check for "proto" in the XML string before parsing it to the parser.
References
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
References