CVE-2023-0842 — xml2js is vulnerable to prototype pollution

Description

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.

How to fix CVE-2023-0842

To remediate CVE-2023-0842, upgrade the affected package to a fixed version below.

—upgrade to 0.2.8-1.1+deb11u1 or later
—upgrade to 0.2.8-1.1+deb11u1~deb10u1 or later
—upgrade to 0.5.0 or later

Is CVE-2023-0842 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.2.8-1.1+deb11u1
from 0, < 0.2.8-1.1+deb11u1~deb10u1
from 0, < 0.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-0842
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-0842
PATCHgithub.com/Leonidas-from-XIV/node-xml2js
WEBfluidattacks.com/advisories/myers
WEB