xmldom Processing Instruction Injection Vulnerability

A vulnerability in the xmldom package, specifically in versions prior to 0.9.10 and 0.8.13, as well as in xmldom version 0.6.0 and prior, allows for XML injection through unvalidated processing instruction (PI) data. The issue arises because the serializer does not properly validate or neutralize PI-closing sequences, enabling attackers to terminate the PI early and inject arbitrary XML nodes. This vulnerability has been addressed in @xmldom/xmldom versions 0.9.10 and 0.8.13.

Impact

Exploitation of this vulnerability allows for injection of arbitrary XML elements through processing instructions, potentially altering the structure and meaning of the generated XML. This could impact any workflow that involves XML serialization and relies on the integrity of the XML structure, such as configuration files or XML-based message formats.

Reproduction

The vulnerability can be reproduced by creating a new document and appending a processing instruction with data that includes a PI-closing sequence, such as '?>'. When the document is serialized, the injected XML node is processed as active markup, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to @xmldom/xmldom versions 0.9.10 or 0.8.13 to address this vulnerability. After updating, it is important to pass the option '{ requireWellFormed: true }' to the 'XMLSerializer.serializeToString()' method to ensure proper validation of processing instruction data.