xml2js 0.4.23 - Prototype Pollution
7.3
High
Discovered by

Offensive Team, Fluid Attacks
Summary
Full name
xml2js 0.4.23 - Prototype Pollution
Code name
State
Public
Release date
Apr 10, 2023
Affected product
mdpdf
Affected version(s)
Version 0.4.23
Vulnerability name
Prototype Pollution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS v3.1 base score
7.3
Exploit available
Yes
CVE ID(s)
Description
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__
property to be edited.
Vulnerability
Prototype pollution is a vulnerability that affects JS. It occurs when a third party manages to modify the __proto__
of an object. JavaScript first checks if such a method/attribute exists in the object. If so, then it calls it. If not, it looks in the object's prototype. If the method/attribute is also not in the object's prototype, then the property is said to be undefined.
Therefore, if an attacker succeeds in injecting the __proto__
property into an object, he will succeed in injecting or editing its properties.
Exploitation
Exploit.md
Evidence of exploitation

Our security policy
We have reserved the ID CVE-2023-0842 to refer to this issue from now on. Disclosure policy
System Information
Version: xml2js 0.4.23
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Timeline
Vulnerability discovered
Feb 14, 2023
Vendor contacted
Feb 14, 2023
Vendor replied
Feb 14, 2023
Public disclosure
Apr 10, 2023