https://feed.craftedsignal.io/products/xmldom/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 23 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/Thu, 23 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/The xmldom library is vulnerable to a denial-of-service (DoS) attack due to uncontrolled recursion in XML serialization leading to application crashes.The xmldom library is susceptible to a denial-of-service (DoS) vulnerability due to uncontrolled recursion in XML serialization. Seven recursive traversals within lib/dom.js lack depth limits, causing a RangeError: Maximum call stack size exceeded and crashing the application when processing deeply nested XML documents. Publicly disclosed on 2026-04-06, the vulnerability impacts multiple functions, including normalize(), XMLSerializer.serializeToString(), and others related to DOM manipulation. This issue arises from the library’s pure-JavaScript recursive implementation of DOM operations, which exhausts the call stack. Exploitation requires no authentication or special options, affecting applications that process attacker-controlled XML using vulnerable xmldom versions ( < 0.8.13, >= 0.9.0 and < 0.9.10, and <= 0.6.0).

Attack Chain

1. An attacker crafts a malicious XML document with deeply nested elements.
2. The vulnerable application receives and parses the crafted XML document using DOMParser.parseFromString().
3. The application subsequently calls one of the affected DOM operations, such as normalize(), serializeToString(), getElementsByTagName(), or cloneNode(true).
4. The affected function initiates a recursive traversal of the deeply nested XML structure within lib/dom.js.
5. Each level of nesting consumes a JavaScript call stack frame.
6. The recursive calls continue until the JavaScript engine’s call stack is exhausted.
7. A RangeError: Maximum call stack size exceeded exception is thrown.
8. The application crashes due to the uncaught exception, leading to a denial of service.

Impact

Successful exploitation results in a denial-of-service condition. Any service parsing attacker-controlled XML with a vulnerable version of xmldom can be crashed by a single crafted payload. This can lead to failed request processing. In deployments where uncaught exceptions terminate the worker or process, the impact can extend beyond a single request and disrupt service availability more broadly. Tests show that stack exhaustion occurs with nesting depths between 5,000 and 10,000 levels depending on the operation.

Recommendation

• Upgrade @xmldom/xmldom to version >= 0.8.13 or >= 0.9.10 to remediate CVE-2026-41673.
• If upgrading is not immediately feasible, consider implementing input validation to limit the nesting depth of XML documents processed by applications using xmldom.
• Monitor application logs for RangeError: Maximum call stack size exceeded exceptions originating from lib/dom.js, which could indicate exploitation attempts.

]]>mediumadvisorydosxmldomrecursionjavascripthttps://feed.craftedsignal.io/briefs/2024-01-26-xmldom-injection/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-xmldom-injection/The xmldom library is vulnerable to XML node injection, allowing attackers to inject arbitrary XML nodes into serialized output by manipulating comment content; this is mitigated by using the `requireWellFormed` option in `serializeToString` after upgrading to version 0.8.13 or 0.9.10.The xmldom library is susceptible to XML node injection due to a lack of validation when serializing comment nodes. Versions prior to 0.8.13 and versions between 0.9.0 and 0.9.10 are vulnerable. An attacker can inject arbitrary XML nodes into the serialized output by including comment-breaking sequences (e.g., -->) in the comment data. This allows them to alter the structure of the XML document. Exploitation involves crafting malicious input that leverages the library’s DOM construction and serialization flow. It matters because applications using xmldom to process potentially untrusted XML data could be coerced into generating malicious XML structures. The fix requires an opt-in requireWellFormed flag to be enabled when calling serializeToString().

Attack Chain

1. An application receives untrusted data intended for use in XML comment content.
2. The application calls createComment(data) in xmldom, passing the untrusted data. The library stores the data without proper validation.
3. The application constructs an XML document, including the comment node created in the previous step.
4. The application calls serializeToString() on the XML document to serialize it.
5. If the untrusted data contains comment-breaking sequences, such as -->, the serializer prematurely terminates the comment.
6. The serializer injects any subsequent content in the untrusted data as live XML markup.
7. The application stores, forwards, signs, or hands the serialized XML to another parser.
8. The downstream consumer trusts the altered XML structure, leading to unintended consequences, such as misconfiguration or security bypass.

Impact

Successful exploitation allows attackers to inject arbitrary XML nodes, potentially altering the structure and meaning of generated XML documents. This could lead to misconfiguration, policy bypass, or other security vulnerabilities in applications that rely on the integrity of the XML structure. The vulnerability affects applications that use xmldom to build XML from untrusted input. The number of victims depends on the usage of the vulnerable library and the exposure of applications to untrusted XML data.

Recommendation

• Upgrade to @xmldom/xmldom version 0.8.13 or 0.9.10 or later to gain access to the fix.
• Audit all calls to serializeToString() and add the { requireWellFormed: true } option when serializing comments containing potentially untrusted data.
• Implement server-side input validation to sanitize comment data by removing comment-breaking sequences like --> before passing it to createComment().
• Deploy the Sigma rule to detect comment injections.

]]>highadvisoryxmlinjectiondeserializationvulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-xmldom-xml-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-xmldom-xml-injection/The xmldom package is vulnerable to XML injection. The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. To address this applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node's publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.The @xmldom/xmldom and xmldom packages are vulnerable to XML injection due to the lack of validation when serializing DocumentType node fields. Specifically, the internalSubset, publicId, and systemId fields are serialized verbatim without any escaping or validation. This vulnerability affects @xmldom/xmldom versions prior to 0.8.13 and versions 0.9.0 to 0.9.9, as well as xmldom versions up to 0.6.0. The vulnerability is triggered when these fields are programmatically set to attacker-controlled strings, leading to potential arbitrary markup injection outside the DOCTYPE declaration during serialization using XMLSerializer.serializeToString. This can lead to downstream XML parsers being susceptible to XXE attacks. Defenders should audit serializeToString() call sites and add { requireWellFormed: true } to mitigate this vulnerability.

Attack Chain

1. The attacker identifies an application using a vulnerable version of @xmldom/xmldom or xmldom.
2. The attacker finds a code path where they can control the publicId, systemId, or internalSubset properties of a DocumentType node.
3. The attacker crafts a malicious string containing XML injection payloads (e.g., closing DOCTYPE tags or injecting SYSTEM entities).
4. The attacker uses programmatic calls to createDocumentType or direct property writes to set the malicious string as the value of the publicId, systemId, or internalSubset field.
5. The application calls XMLSerializer.serializeToString on the document, without the { requireWellFormed: true } option.
6. The vulnerable serializer emits a DOCTYPE declaration where the injected malicious string is included verbatim, causing the DOCTYPE declaration to be terminated early or to include injected entities.
7. The serialized XML is passed to a downstream XML parser that performs entity expansion.
8. The downstream XML parser expands the injected entities, leading to potential XXE attacks, information disclosure, or other malicious actions.

Impact

Successful exploitation of this vulnerability can lead to the injection of arbitrary XML markup, potentially enabling XXE attacks against downstream XML parsers. The impact includes potential information disclosure, arbitrary code execution, or denial-of-service if the downstream parser expands external entities. This vulnerability impacts applications using vulnerable versions of @xmldom/xmldom and xmldom that construct DocumentType nodes from user-controlled data and serialize the document without proper validation.

Recommendation

• Upgrade to @xmldom/xmldom version 0.8.13 or later, or version 0.9.10 or later, to receive the fix.
• Upgrade to a version of xmldom greater than 0.6.0.
• Audit all calls to XMLSerializer.serializeToString() and add the option { requireWellFormed: true } to enforce validation of DocumentType node fields, as described in the advisory.
• Applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node’s publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.

]]>highadvisoryxml-injectionxxedomxmldom