Skip to content
This repository was archived by the owner on Dec 26, 2023. It is now read-only.
This repository was archived by the owner on Dec 26, 2023. It is now read-only.

v4.3.0: xml2js is vulnerable to prototype pollution #177

Open
Open
v4.3.0: xml2js is vulnerable to prototype pollution#177
@VladimirKhil

Description

@VladimirKhil
VladimirKhil
opened on May 23, 2023

Hi!

I got dependabot alert in my project referencing webpack-pwa-manifest v4.3.0:

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

webpack-pwa-manifest@4.3.0 requires xml2js@^0.4.5 via a transitive dependency on parse-bmfont-xml@1.1.4
No patched version available for xml2js

The earliest fixed version is 0.5.0.

parse-bmfont-xml project seems to be unsupported. Could a reference to it be replaced by something else?

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions