Listen to this Post
The vulnerability arises from improper handling of the CDATA terminator `]]>` within CDATA sections during XML serialization. When an attacker-controlled string containing this sequence is inserted into a CDATASection node (via createCDATASection, .appendData, .data, etc.), the `XMLSerializer` outputs it verbatim. This prematurely closes the CDATA block, allowing the subsequent attacker-controlled text to be interpreted as active XML markup rather than literal text. The root cause is twofold: a lack of validation in `lib/dom.js` (line ~1470) for `createCDATASection` and unsafe serialization logic that fails to escape or split the terminator. This breaks the assumption that CDATA content is safe from injection, enabling XML structure injection.
dailycve form:
Platform: @xmldom/xmldom
Version: <=0.8.6
Vulnerability: CDATA Injection
Severity: Critical
date: 2022-08-25
Prediction: 2022-09-15
Analytics under heading What Undercode Say:
Check if your package is vulnerable npm list @xmldom/xmldom | grep -E '@xmldom/xmldom@(0.[0-7].|0.8.[0-6])'
// Test script to validate CVE-2022-37616
const { DOMParser, XMLSerializer, DOMImplementation } = require('@xmldom/xmldom');
const doc = new DOMImplementation().createDocument(null, 'root', null);
const cdata = doc.createCDATASection('safe]]><injected/>');
doc.documentElement.appendChild(cdata);
const output = new XMLSerializer().serializeToString(doc);
console.log(output.includes('<injected/>') ? 'VULNERABLE' : 'PATCHED');
Exploit:
<!-- Payload injected into CDATA --> <root><![CDATA[bash]]><injected tag="pwn"/>]]></root> <!-- Resulting serialized output creates new elements --> <root><![CDATA[bash]]><injected tag="pwn"/><![CDATA[]]></root>
Protection from this CVE
Update to version 0.8.7 or later. If patching is not immediate, validate all user input to reject the `]]>` sequence before passing data to CDATA creation methods. Implement a content security policy for downstream XML consumers to prevent processing of injected elements.
Impact
An attacker can inject arbitrary XML elements into trusted documents, leading to business-logic manipulation (e.g., elevating privileges via <role>admin</role>), bypassing security controls, and corrupting data integrity in XML-based integrations (SOAP, RSS, configuration files).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

