hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
- Vulnerability Type
Prototype Pollution Vulnerability (Critical)
- Root Cause
When parsing XML, the xml2js module directly uses XML tag names (nodeName) as property names for JavaScript objects for assignment, without filtering dangerous keys such as proto, constructor, and prototype. Attackers can trigger prototype pollution by constructing malicious XML documents containing dangerous tag names.
- Location of Vulnerable Code
File Path: node_modules/xml2js/lib/parser.js
assignOrPush() Function: Directly uses the key from the XML tag name to assign values to the object without filtering dangerous keys;
onclosetag Callback: Passes the XML tag name nodeName into assignOrPush() as a property name without filtering.
- PoC Exploit Example
Malicious XML Document
<root>
<__proto__>
<polluted>yes</polluted>
</__proto__>
</root>Verification Code
const xml2js = require('xml2js');
const maliciousXml = '<root><__proto__><polluted>yes</polluted></__proto__></root>';
xml2js.parseString(maliciousXml, (err, result) => {
// __proto__ is treated as a normal tag during parsing
const obj = {};
console.log(obj.polluted); // May output "yes"
});
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Prototype Pollution Vulnerability (Critical)
When parsing XML, the xml2js module directly uses XML tag names (nodeName) as property names for JavaScript objects for assignment, without filtering dangerous keys such as proto, constructor, and prototype. Attackers can trigger prototype pollution by constructing malicious XML documents containing dangerous tag names.
File Path: node_modules/xml2js/lib/parser.js
assignOrPush() Function: Directly uses the key from the XML tag name to assign values to the object without filtering dangerous keys;
onclosetag Callback: Passes the XML tag name nodeName into assignOrPush() as a property name without filtering.
Malicious XML Document
Verification Code