xmldom DocumentType Node Injection Vulnerability

A vulnerability in the xmldom package, specifically in versions prior to 0.9.10 and 0.8.13, allows for XML injection through unvalidated serialization of DocumentType node fields. The issue arises because the XMLSerializer.serializeToString method emits these fields verbatim, without any escaping or validation. When fields are populated with attacker-controlled strings, the serialization can be manipulated to terminate the DOCTYPE declaration early, causing arbitrary markup to appear outside of it. This vulnerability is present in the @xmldom/xmldom package in versions prior to 0.8.13 and in the 0.9.0 to 0.9.10 range.

Impact

Exploitation of this vulnerability can lead to injection of arbitrary markup into the serialized output, bypassing the DOCTYPE context. This could be exploited by downstream XML parsers that re-parse the output and expand entities from the injected DOCTYPE, potentially leading to XXE attacks if entity expansion is enabled.

Reproduction

To reproduce this vulnerability, create a DocumentType node with unvalidated data, such as a publicId or systemId that includes injection sequences. Then, serialize the document using XMLSerializer.serializeToString(). The injected content will appear in the output, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to xmldom version 0.9.10 or 0.8.13, where this vulnerability has been patched. After updating, it's important to review all serialization calls and add the { requireWellFormed: true } option to ensure proper validation of DocumentType fields before serialization.