xmldom XML Injection Vulnerability via Unvalidated Comment Serialization

A vulnerability in the xmldom package, specifically in versions prior to 0.9.10 and 0.8.13, as well as in xmldom version 0.6.0 and prior, allows for XML injection through unvalidated comment data. The issue arises because the serializer does not properly validate or neutralize comment-breaking sequences in attacker-controlled content. This oversight enables the injection of arbitrary XML nodes by terminating the comment early and manipulating the serialized output. The vulnerability has been addressed in @xmldom/xmldom versions 0.9.10 and 0.8.13.

Impact

Exploitation of this vulnerability allows for XML injection, where untrusted comment data is serialized without proper validation, potentially altering the structure and meaning of the XML document. This could impact any application workflow that generates, stores, or transmits XML, especially in contexts where the XML format is trusted or subject to validation.

Reproduction

To reproduce this vulnerability, create a comment node with data that includes the sequence '-->' (which terminates a comment) and injects XML, such as an element with an attribute. When this comment is serialized without the 'requireWellFormed' option, the injected XML will be processed as live markup, demonstrating the injection flaw.

Remediation

Users can update to @xmldom/xmldom versions 0.9.10 or 0.8.13 to address this vulnerability. After updating, it's important to review all serialization calls and pass the 'requireWellFormed: true' option to ensure comment data is properly validated before serialization.