Closed dkhaye closed 1 year ago
Hey @dkhaye thanks for reaching out, we'll take a look at this and try to get this library updated as soon as possible. At a cursory look I think we'll be able to update without issue because xml2js supports Node versions as low as Node 4 (this SDK still supports down to Node v10 🙃 ). If not, we'll come back with another update.
For internal tracking, issue 7872
Hello, that's right, this library has a vulnerability in this version, from what I saw the xml2js supplier made the correction two days ago. When we try to overwrite to the latest version the braintree sdk doesn't work.
@johnatandantas we're working on this update now, we understand this vulnerability is a high priority. Thanks!
This has been updated in v3.15.0
General information
Issue description
xml2js version
0.4.23
allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the__proto__
property to be edited. See CVE-2023-0842 for more details. Please upgrade to0.5.0
or newer.