CVE-2023-0842 medium vulnerability reported against latest release 0.4.23

[wnm3]

Today we started getting notifications for xml2js libraries having a medium vulnerability. I'd been using an older version 0.4.19 so forced updates to the latest 0.4.23 but the vulnerability remains with the current version. I know these are often debated whether they represent real problems, but if there is a fix you could issue that would be great. Thanks in advance for your help.

The problem reported by our monitoring system (whitesource/Mend) provided this detail:
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited.

It seems the fix is to disallow keys for proto from XML content to be added in the js object...

NIST just shows this as awaiting analysis: https://nvd.nist.gov/vuln/detail/CVE-2023-0842

[cspotcode]

This affects users of the latest aws-sdk v2, since it directly depends on xml2js.
https://www.npmjs.com/package/aws-sdk?activeTab=dependencies

xml2js was most recently published in 2019, but the most recent code changes were merged in 2020, docs changes merged more recently than that.
https://www.npmjs.com/package/xml2js?activeTab=versions
https://github.com/Leonidas-from-XIV/node-xml2js/commits/master

[Fotiman]

This provides a great example for reproducing the vulnerability:
https://fluidattacks.com/advisories/myers/

[cspotcode]

That report says that on 2023-02-14 "Vendor replied acknowledging the report" but I'm not sure if that means a fix is planned or not.

[dmattia]

Github's advisory lists this as high severity: GHSA-776f-qx25-q3cc

[tambor81]

we found this CVE-2023-0842 reported as HIGH in our daily build breaking for this library (our build breaks only for High and critical), it shouldn't be high!, because it depends on protractor (for e2e tests or unit tests) which is EOL, webdriver and other deprecated libraries

Protractor is EOL and will be removed from @angular-devkit/build-angular on Angular 16...,

is anybody fixing this?

[matthewmayer]

Obligatory XKCD

[Arisamiga]

There has been a Pull Request open #603 that is a fix for this vulnerability sense 2021

[OIRNOIR]

I wish there was a facepalm reaction. We could have fixed the vulnerability a long time ago.