Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency fast-xml-parser to v4.4.1 [security] - autoclosed #32

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency fast-xml-parser to v4.4.1 [security] - autoclosed #32

wants to merge 1 commit into from

Conversation

renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Jul 29, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fast-xml-parser 4.3.2 -> 4.4.1 age adoption passing confidence
fast-xml-parser 4.2.5 -> 4.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26920

Impact

As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.

const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");

let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>"

const parser = new XMLParser();
let jObj = parser.parse(XMLdata);

console.log(jObj.polluted) // should return hacked

Patches

The problem has been patched in v4.1.2

Workarounds

User can check for "proto" in the XML string before parsing it to the parser.

References

https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7

CVE-2024-41818

Summary

A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team.

Details

https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex

PoC

pass the following string '\t'.repeat(13337) + '.'

Impact

Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library

https://gauss-security.com

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v4.4.1

Compare Source

v4.4.0

Compare Source

v4.3.6

Compare Source

v4.3.5

Compare Source

v4.3.4

Compare Source

v4.3.3

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@github-actions GitHub Actions
Copy link

COMPARE TO master

Total Size Diff 📈 +3.26 KB

Diff by File
Name Diff
pnpm-lock.yaml 📈 +3.26 KB

@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 10 for days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Aug 21, 2024
@github-actions github-actions bot removed the stale label Sep 2, 2024
@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 10 for days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Sep 17, 2024
@renovate-bot renovate-bot changed the title fix(deps): update dependency fast-xml-parser to v4.4.1 [security] fix(deps): update dependency fast-xml-parser to v4.4.1 [security] - autoclosed Oct 11, 2024
@renovate-bot renovate-bot deleted the renovate/npm-fast-xml-parser-vulnerability branch October 11, 2024 16:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@renovate-bot renovate-bot

Labels
bugfix size/xs stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot