xmldom DOMParser and XMLSerializer Stack Overflow Vulnerability

A denial-of-service vulnerability has been identified in the xmldom library, specifically in the DOMParser and XMLSerializer components. This issue affects versions of @xmldom/xmldom prior to 0.9.10 and 0.8.13, as well as xmldom version 0.6.0 and earlier. The vulnerability arises from seven recursive functions in lib/dom.js that traverse the DOM without a depth limit. When a DOM tree is nested too deeply, it leads to a RangeError: Maximum call stack size exceeded, causing the application to crash. This vulnerability can be exploited by creating a sufficiently deep DOM structure that exceeds the call stack limit.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to a RangeError that crashes the application.

Reproduction

The vulnerability can be reproduced by using a version of the xmldom library that is prior to 0.9.10 or 0.8.13, or by using xmldom version 0.6.0 or earlier. After that, a DOM tree needs to be created that is deeply nested, with enough levels to exceed the maximum call stack size. This can be done by programmatically adding child nodes to a parent node, creating a structure that simulates deep nesting.

Remediation

Users can upgrade to xmldom version 0.9.10 or 0.8.13 to address this vulnerability.