Description
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
Remediation
References
https://fluidattacks.com/advisories/myers/
https://github.com/Leonidas-from-XIV/node-xml2js/
https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html
Related Vulnerabilities
CVE-2020-26939 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk14
CVE-2020-8127 Vulnerability in maven package org.webjars.bowergithub.hakimel:reveal.js
CVE-2022-31108 Vulnerability in maven package org.webjars.bower:mermaid
CVE-2021-21391 Vulnerability in npm package @ckeditor/ckeditor5-image
CVE-2021-20190 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind