New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Prototype Pollution vulnerability in @xmldom/xmldom@0.7.5 #789
Comments
It looks like it's not a direct dependency. Rather, it's a direct dependency of node-saml at v0.8.3, as well as its nested dependencies xml-crypto and xml-encryption at v0.7.5. Unfortunately, node-saml hasn't had an update in a year. An issue is already open for xml-crypto (node-saml/xml-crypto#260), but not xml-encryption. |
Digging in, it looks like xml-crypto and xml-encryption packages only use the I can't quite make sense of the code enough to confidently say if the vulnerable I've submitted PR xmldom/xmldom#441 to hopefully backport the fix into 0.7.x, so that this can be mitigated without new versions of the intermediate dependencies. (Both xml-crypto and xml-encryption use |
@jftanner I believe @BenBullock1992 was talking about Line 53 in 8b6b2f2
You might be referring to unscope
About scoping change see additional information from #729 fwiw, If you were using unscope |
You're right @srd90. Helps if I read more thoroughly. Thanks for the correction. Fortunately, the PR to backport the fix to |
xml-crypto v3.0.0 was released this morning, with an updated version of xmldom. |
Unless there is a CVE published for a dependency that the 3.x series uses, we likely won't be updating it. Even then, we hope to have the 4.x series released in November, after which we won't update the 3.x series at all. For |
@cjbarth Can this issue be re-opened? There is a CVE☝️. Update: I removed npm_modules and |
Feel free to make a PR against the 3.x branch. 4.0.1 is already released with the fix. |
Hello,
Snyk identified a Prototype Pollution vulnerability in @xmldom/xmldom@0.7.5 which is a dependency of passport-saml@3.2.2.
https://security.snyk.io/vuln/SNYK-JS-XMLDOMXMLDOM-3042243
Please could you update @xmldom/xmldom to 0.8.3.
Thanks,
Ben
The text was updated successfully, but these errors were encountered: