CVE-2022-39353: 
JavaScript vulnerability analysis and mitigation

xmldom, a pure JavaScript W3C standard-based DOMParser and XMLSerializer module, was found to contain a vulnerability identified as CVE-2022-39353. The vulnerability was discovered in October 2022 and affects versions <0.7.7, >=0.8.0 <0.8.4, and >=0.9.0-beta.1 <0.9.0-beta.4. The issue allows parsing of malformed XML documents containing multiple top-level elements without reporting any errors (GitHub Advisory).

The vulnerability stems from xmldom's behavior of parsing XML that contains multiple top-level elements and adding all root nodes to the childNodes collection of the Document without reporting any error or throwing an exception. This breaks the fundamental XML specification requirement that mandates only a single root node in the document tree. The issue was rated as Critical severity and is associated with CWE-20 (Improper Input Validation) and CWE-1288 weaknesses (GitHub Advisory).

This vulnerability breaks the critical assumption that there should only be a single root node in the XML tree. This violation of XML specifications can lead to security holes in downstream applications, as demonstrated by its connection to CVE-2022-39299. The issue could potentially result in unexpected behavior in applications that rely on proper XML document structure (GitHub Advisory).

Users are advised to update to patched versions: @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4, or @xmldom/xmldom@>=0.9.0-beta.4. Alternative workarounds include searching for elements only in the documentElement instead of the whole DOM, or implementing validation to reject documents with more than one childNode (GitHub Advisory).