dnlkoch
commented
1 year ago :tada: This PR is included in version 5.2.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Closed renovate[bot] closed 1 year ago
dnlkoch
commented
1 year ago :tada: This PR is included in version 5.2.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
This PR contains the following updates:
4.2.2->4.2.4GitHub Vulnerability Alerts
CVE-2023-34104
Impact
"fast-xml-parser" allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for DoS attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time.
Patches
The problem has been resolved in v4.2.4
Workarounds
Avoid using DOCTYPE parsing by
processEntities: falseoption.References
Are there any links users can visit to find out more?
Release Notes
NaturalIntelligence/fast-xml-parser (fast-xml-parser)
### [`v4.2.4`](https://togithub.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.2.4): Security Fix [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/v4.2.3...v4.2.4) Update to this release if you use entity parsing in Fast XML Parser. ### [`v4.2.3`](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/4.2.2...v4.2.3) [Compare Source](https://togithub.com/NaturalIntelligence/fast-xml-parser/compare/4.2.2...v4.2.3)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.