Open renovate[bot] opened 2 months ago
This PR contains the following updates:
4.0.9
4.4.1
As a part of this vulnerability, user was able to se code using __proto__ as a tag or attribute name.
__proto__
const { XMLParser, XMLBuilder, XMLValidator} = require("fast-xml-parser"); let XMLdata = "<__proto__><polluted>hacked</polluted></__proto__>" const parser = new XMLParser(); let jObj = parser.parse(XMLdata); console.log(jObj.polluted) // should return hacked
The problem has been patched in v4.1.2
User can check for "proto" in the XML string before parsing it to the parser.
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team.
https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex
pass the following string '\t'.repeat(13337) + '.'
Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library
https://gauss-security.com
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.
This PR contains the following updates:
4.0.9
->4.4.1
GitHub Vulnerability Alerts
CVE-2023-26920
Impact
As a part of this vulnerability, user was able to se code using
__proto__
as a tag or attribute name.Patches
The problem has been patched in v4.1.2
Workarounds
User can check for "proto" in the XML string before parsing it to the parser.
References
https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7
CVE-2024-41818
Summary
A ReDOS that exists on currency.js was discovered by Gauss Security Labs R&D team.
Details
https://github.com/NaturalIntelligence/fast-xml-parser/blob/v4.4.0/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex
PoC
pass the following string '\t'.repeat(13337) + '.'
Impact
Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library
https://gauss-security.com
Release Notes
NaturalIntelligence/fast-xml-parser (fast-xml-parser)
### [`v4.4.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.4.0...v4.4.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.4.0...v4.4.1) ### [`v4.4.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.6...v4.4.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.6...v4.4.0) ### [`v4.3.6`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.5...v4.3.6) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.5...v4.3.6) ### [`v4.3.5`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.4...v4.3.5) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.3...v4.3.4) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.3...v4.3.4) ### [`v4.3.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.2...v4.3.3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.2...v4.3.3) ### [`v4.3.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.1...v4.3.2) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.1...v4.3.2) ### [`v4.3.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.0...v4.3.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.3.0...v4.3.1) ### [`v4.3.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.7...v4.3.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.7...v4.3.0) ### [`v4.2.7`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.6...v4.2.7) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.6...v4.2.7) ### [`v4.2.6`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.5...v4.2.6) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.5...v4.2.6) ### [`v4.2.5`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.4...v4.2.5) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.4...v4.2.5) ### [`v4.2.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.2.4): Security Fix [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.3...v4.2.4) Update to this release if you use entity parsing in Fast XML Parser. ### [`v4.2.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.2...v4.2.3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.2...v4.2.3) ### [`v4.2.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.1...4.2.2) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/4.2.1...4.2.2) ### [`v4.2.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.0...4.2.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.0...4.2.1) ### [`v4.2.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.4...v4.2.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.4...v4.2.0) ### [`v4.1.4`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.3...v4.1.4) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.3...v4.1.4) ### [`v4.1.3`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.2...v4.1.3) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.2...v4.1.3) ### [`v4.1.2`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.1...v4.1.2) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.1...v4.1.2) ### [`v4.1.1`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.0...v4.1.1) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.1.0...v4.1.1) ### [`v4.1.0`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.15...v4.1.0) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.15...v4.1.0) ### [`v4.0.15`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.14...v4.0.15) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.14...v4.0.15) ### [`v4.0.14`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.13...v4.0.14) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.13...v4.0.14) ### [`v4.0.13`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.12...v4.0.13) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.12...v4.0.13) ### [`v4.0.12`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.11...v4.0.12) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.11...v4.0.12) ### [`v4.0.11`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.10...v4.0.11) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.10...v4.0.11) ### [`v4.0.10`](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.9...v4.0.10) [Compare Source](https://redirect.github.com/NaturalIntelligence/fast-xml-parser/compare/v4.0.9...v4.0.10)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.