Update dependency `xml2js` to resolve CVE-2023-0842

braintree / braintree_node

Braintree Node.js library

https://developer.paypal.com/braintree/docs/start/overview

MIT License

334 stars 104 forks source link

Update dependency `xml2js` to resolve CVE-2023-0842 #221

Closed dkhaye closed 1 year ago

dkhaye commented 1 year ago

General information

SDK/Library version: 3.14.0
Environment: Production
Language, language version, and OS: All

Issue description

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. See CVE-2023-0842 for more details. Please upgrade to 0.5.0 or newer.

hollabaq86 commented 1 year ago

Hey @dkhaye thanks for reaching out, we'll take a look at this and try to get this library updated as soon as possible. At a cursory look I think we'll be able to update without issue because xml2js supports Node versions as low as Node 4 (this SDK still supports down to Node v10 🙃 ). If not, we'll come back with another update.

For internal tracking, issue 7872

johnatandantas commented 1 year ago

Hello, that's right, this library has a vulnerability in this version, from what I saw the xml2js supplier made the correction two days ago. When we try to overwrite to the latest version the braintree sdk doesn't work.

hollabaq86 commented 1 year ago

@johnatandantas we're working on this update now, we understand this vulnerability is a high priority. Thanks!

hollabaq86 commented 1 year ago

This has been updated in v3.15.0