Skip to content

[Aikido] Fix critical issue in @xmldom/xmldom via minor version upgrade from 0.7.5 to 0.7.7 in packages#27

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-55452737-pot1
Open

[Aikido] Fix critical issue in @xmldom/xmldom via minor version upgrade from 0.7.5 to 0.7.7 in packages#27
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-55452737-pot1

Conversation

@aikido-autofix

Copy link
Copy Markdown

Upgrade @xmldom/xmldom to fix critical XML parsing vulnerabilities including malformed document handling and potential DoS/RCE issues.

⚠️ Breaking changes in this upgrade

All breaking changes by upgrading @xmldom/xmldom from version 0.7.5 to 0.7.7 (CHANGELOG)

Version Description
0.7.7
Security fix prevents inserting DOM nodes when they are not well-formed; non-well-formed parts are transformed into text nodes with encoded XML characters like < and >, which may break code expecting the previous behavior
✅ 1 CVE resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2022-39353
🚨 CRITICAL
[@xmldom/xmldom] The XML parser incorrectly accepts malformed XML with multiple root elements and adds all roots to the document's childNodes, violating XML standards and potentially enabling XML signature bypass attacks or other security issues for dependent applications.

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Jun 25, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5 Open source vulnerabilities detected - high severity
Aikido detected 5 vulnerabilities across 1 package, it includes 1 high and 4 medium vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants