CVE-2022-37616

Description

A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."

How to fix CVE-2022-37616

To remediate CVE-2022-37616, upgrade the affected package to a fixed version below.

• —upgrade to 0.5.0-1+deb11u1 or later
• —upgrade to 0.1.27+ds-1+deb10u1 or later
• —no fix listed
• —upgrade to 0.8.3 or later

Is CVE-2022-37616 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 0.5.0-1+deb11u1
• from 0, < 0.1.27+ds-1+deb10u1
• from 0, <= 0.6.0
• >= 0.8.0, < 0.8.3

CVSS scores

References (15)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-37616
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-37616
• PATCHgithub.com/xmldom/xmldom
• WEBdl.acm.org/doi/abs/10.1145/3488932.3497769
• WEB