Skip to content
This repository has been archived by the owner on Dec 26, 2023. It is now read-only.

v4.3.0: xml2js is vulnerable to prototype pollution #177

Open
VladimirKhil opened this issue May 23, 2023 · 0 comments
Open

v4.3.0: xml2js is vulnerable to prototype pollution #177

VladimirKhil opened this issue May 23, 2023 · 0 comments

Comments

@VladimirKhil
Copy link

Hi!

I got dependabot alert in my project referencing webpack-pwa-manifest v4.3.0:

xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.

[email protected] requires xml2js@^0.4.5 via a transitive dependency on [email protected]
No patched version available for xml2js

The earliest fixed version is 0.5.0.

parse-bmfont-xml project seems to be unsupported. Could a reference to it be replaced by something else?
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VladimirKhil