Description
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
Remediation
References
https://fluidattacks.com/advisories/myers/
https://github.com/Leonidas-from-XIV/node-xml2js/
https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html
Related Vulnerabilities
CVE-2019-10744 Vulnerability in maven package org.webjars:lodash
CVE-2022-41376 Vulnerability in npm package metro4
CVE-2022-41940 Vulnerability in maven package org.webjars.bower:engine.io
CVE-2021-26275 Vulnerability in npm package eslint-fixer
CVE-2021-21122 Vulnerability in maven package org.webjars.npm:electron