CVE-2022-37616

CRITICAL9.8EPSS 1.2%

Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom

Published: 10/11/2022Modified: 4/28/2026

Description

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

Affected packages (4)

Debian/node-xmldomfrom 0, < 0.5.0-1+deb11u1
Debian/node-xmldomfrom 0, < 0.1.27+ds-1+deb10u1
npm/xmldomfrom 0, <= 0.6.0
npm/@xmldom/xmldom>= 0.8.0, < 0.8.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (15)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-37616
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-37616
PATCHhttps://github.com/xmldom/xmldom
WEBhttps://dl.acm.org/doi/abs/10.1145/3488932.3497769
WEBhttps://dl.acm.org/doi/pdf/10.1145/3488932.3497769
WEBhttps://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L1
WEBhttps://github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.js#L3
WEBhttps://github.com/xmldom/xmldom/blob/master/CHANGELOG.md#076
WEBhttps://github.com/xmldom/xmldom/issues/436
WEBhttps://github.com/xmldom/xmldom/issues/436#issuecomment-1319412826
WEBhttps://github.com/xmldom/xmldom/issues/436#issuecomment-1327776560
WEBhttps://github.com/xmldom/xmldom/pull/437
WEBhttps://github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqj
WEBhttps://lists.debian.org/debian-lts-announce/2022/10/msg00023.html
WEBhttp://users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdf