{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xmldom/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["xmldom"],"_cs_severities":["medium"],"_cs_tags":["dos","xmldom","recursion","javascript"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003exmldom\u003c/code\u003e library is susceptible to a denial-of-service (DoS) vulnerability due to uncontrolled recursion in XML serialization. Seven recursive traversals within \u003ccode\u003elib/dom.js\u003c/code\u003e lack depth limits, causing a \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e and crashing the application when processing deeply nested XML documents. Publicly disclosed on 2026-04-06, the vulnerability impacts multiple functions, including \u003ccode\u003enormalize()\u003c/code\u003e, \u003ccode\u003eXMLSerializer.serializeToString()\u003c/code\u003e, and others related to DOM manipulation. This issue arises from the library\u0026rsquo;s pure-JavaScript recursive implementation of DOM operations, which exhausts the call stack. Exploitation requires no authentication or special options, affecting applications that process attacker-controlled XML using vulnerable \u003ccode\u003exmldom\u003c/code\u003e versions ( \u0026lt; 0.8.13, \u0026gt;= 0.9.0 and \u0026lt; 0.9.10, and \u0026lt;= 0.6.0).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious XML document with deeply nested elements.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application receives and parses the crafted XML document using \u003ccode\u003eDOMParser.parseFromString()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application subsequently calls one of the affected DOM operations, such as \u003ccode\u003enormalize()\u003c/code\u003e, \u003ccode\u003eserializeToString()\u003c/code\u003e, \u003ccode\u003egetElementsByTagName()\u003c/code\u003e, or \u003ccode\u003ecloneNode(true)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe affected function initiates a recursive traversal of the deeply nested XML structure within \u003ccode\u003elib/dom.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEach level of nesting consumes a JavaScript call stack frame.\u003c/li\u003e\n\u003cli\u003eThe recursive calls continue until the JavaScript engine\u0026rsquo;s call stack is exhausted.\u003c/li\u003e\n\u003cli\u003eA \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e exception is thrown.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to the uncaught exception, leading to a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation results in a denial-of-service condition. Any service parsing attacker-controlled XML with a vulnerable version of \u003ccode\u003exmldom\u003c/code\u003e can be crashed by a single crafted payload. This can lead to failed request processing. In deployments where uncaught exceptions terminate the worker or process, the impact can extend beyond a single request and disrupt service availability more broadly. Tests show that stack exhaustion occurs with nesting depths between 5,000 and 10,000 levels depending on the operation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e to version \u0026gt;= 0.8.13 or \u0026gt;= 0.9.10 to remediate CVE-2026-41673.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider implementing input validation to limit the nesting depth of XML documents processed by applications using \u003ccode\u003exmldom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for \u003ccode\u003eRangeError: Maximum call stack size exceeded\u003c/code\u003e exceptions originating from \u003ccode\u003elib/dom.js\u003c/code\u003e, which could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-xmldom-dos/","summary":"The xmldom library is vulnerable to a denial-of-service (DoS) attack due to uncontrolled recursion in XML serialization leading to application crashes.","title":"xmldom Uncontrolled Recursion DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-xmldom-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@xmldom/xmldom","xmldom"],"_cs_severities":["high"],"_cs_tags":["xml-injection","xxe","dom","xmldom"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e and \u003ccode\u003exmldom\u003c/code\u003e packages are vulnerable to XML injection due to the lack of validation when serializing \u003ccode\u003eDocumentType\u003c/code\u003e node fields. Specifically, the \u003ccode\u003einternalSubset\u003c/code\u003e, \u003ccode\u003epublicId\u003c/code\u003e, and \u003ccode\u003esystemId\u003c/code\u003e fields are serialized verbatim without any escaping or validation. This vulnerability affects \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e versions prior to 0.8.13 and versions 0.9.0 to 0.9.9, as well as \u003ccode\u003exmldom\u003c/code\u003e versions up to 0.6.0. The vulnerability is triggered when these fields are programmatically set to attacker-controlled strings, leading to potential arbitrary markup injection outside the DOCTYPE declaration during serialization using \u003ccode\u003eXMLSerializer.serializeToString\u003c/code\u003e. This can lead to downstream XML parsers being susceptible to XXE attacks. Defenders should audit serializeToString() call sites and add \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e to mitigate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application using a vulnerable version of \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e or \u003ccode\u003exmldom\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker finds a code path where they can control the \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e properties of a \u003ccode\u003eDocumentType\u003c/code\u003e node.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious string containing XML injection payloads (e.g., closing DOCTYPE tags or injecting SYSTEM entities).\u003c/li\u003e\n\u003cli\u003eThe attacker uses programmatic calls to \u003ccode\u003ecreateDocumentType\u003c/code\u003e or direct property writes to set the malicious string as the value of the \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eXMLSerializer.serializeToString\u003c/code\u003e on the document, without the \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eThe vulnerable serializer emits a DOCTYPE declaration where the injected malicious string is included verbatim, causing the DOCTYPE declaration to be terminated early or to include injected entities.\u003c/li\u003e\n\u003cli\u003eThe serialized XML is passed to a downstream XML parser that performs entity expansion.\u003c/li\u003e\n\u003cli\u003eThe downstream XML parser expands the injected entities, leading to potential XXE attacks, information disclosure, or other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the injection of arbitrary XML markup, potentially enabling XXE attacks against downstream XML parsers. The impact includes potential information disclosure, arbitrary code execution, or denial-of-service if the downstream parser expands external entities. This vulnerability impacts applications using vulnerable versions of \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e and \u003ccode\u003exmldom\u003c/code\u003e that construct \u003ccode\u003eDocumentType\u003c/code\u003e nodes from user-controlled data and serialize the document without proper validation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@xmldom/xmldom\u003c/code\u003e version 0.8.13 or later, or version 0.9.10 or later, to receive the fix.\u003c/li\u003e\n\u003cli\u003eUpgrade to a version of \u003ccode\u003exmldom\u003c/code\u003e greater than 0.6.0.\u003c/li\u003e\n\u003cli\u003eAudit all calls to \u003ccode\u003eXMLSerializer.serializeToString()\u003c/code\u003e and add the option \u003ccode\u003e{ requireWellFormed: true }\u003c/code\u003e to enforce validation of \u003ccode\u003eDocumentType\u003c/code\u003e node fields, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eApplications that pass untrusted data to \u003ccode\u003ecreateDocumentType()\u003c/code\u003e or write untrusted values directly to a \u003ccode\u003eDocumentType\u003c/code\u003e node\u0026rsquo;s \u003ccode\u003epublicId\u003c/code\u003e, \u003ccode\u003esystemId\u003c/code\u003e, or \u003ccode\u003einternalSubset\u003c/code\u003e properties should audit all \u003ccode\u003eserializeToString()\u003c/code\u003e call sites and add the option.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-xmldom-xml-injection/","summary":"The xmldom package is vulnerable to XML injection. The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. To address this applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node's publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.","title":"xmldom XML Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-xmldom-xml-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Xmldom","version":"https://jsonfeed.org/version/1.1"}