CVE-2023-0842 in xml2js
Summary
by MITRE • 04/05/2023
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/07/2025
The vulnerability identified as CVE-2023-0842 affects the xml2js library version 0.4.23 and represents a critical security flaw that enables prototype pollution attacks. This issue stems from insufficient input validation within the library's processing of JSON keys, creating an avenue for malicious actors to manipulate object properties through carefully crafted payloads. The vulnerability specifically allows attackers to modify the _proto_ property of objects, which can lead to severe consequences including arbitrary code execution and privilege escalation within affected applications.
The technical flaw resides in how xml2js handles incoming data during XML to JSON conversion processes. When the library processes XML documents containing specially crafted elements, it fails to properly sanitize or validate the keys used in the resulting JSON structure. This lack of proper validation allows an attacker to inject malicious keys that can modify the prototype chain of objects within the application's memory space. The _proto_ property manipulation represents a well-documented attack vector that has been extensively catalogued in the CWE database under CWE-471, which specifically addresses the issue of using insecure functions to modify object prototypes.
From an operational perspective, this vulnerability poses significant risks to applications that rely on xml2js for processing user-supplied XML data or data from external sources. The impact extends beyond simple data corruption, as prototype pollution can lead to more severe consequences including denial of service conditions, data manipulation, and potential privilege escalation attacks. Attackers can exploit this vulnerability to inject malicious code into the application's execution context, potentially allowing them to execute arbitrary commands or access sensitive information. The vulnerability aligns with several techniques documented in the MITRE ATT&CK framework under the T1059 category, specifically targeting application layer attacks that leverage insecure data handling practices.
Organizations utilizing xml2js version 0.4.23 should prioritize immediate remediation through version updates to the latest stable release that addresses this prototype pollution vulnerability. The recommended mitigation strategy includes implementing proper input validation mechanisms, employing secure coding practices that prevent prototype pollution, and conducting comprehensive security testing of all applications that process external XML data. Additionally, organizations should consider implementing runtime protections and monitoring systems to detect potential exploitation attempts. The vulnerability demonstrates the importance of proper object property validation in JavaScript applications and highlights the need for security-conscious development practices that prevent malicious actors from manipulating object prototypes through user-supplied input data.