@xmldom/xmldom, CDATA Injection, CVE-2022-37616 (Critical)

Listen to this Post

The vulnerability arises from improper handling of the CDATA terminator `]]>` within CDATA sections during XML serialization. When an attacker-controlled string containing this sequence is inserted into a CDATASection node (via createCDATASection, .appendData, .data, etc.), the `XMLSerializer` outputs it verbatim. This prematurely closes the CDATA block, allowing the subsequent attacker-controlled text to be interpreted as active XML markup rather than literal text. The root cause is twofold: a lack of validation in `lib/dom.js` (line ~1470) for `createCDATASection` and unsafe serialization logic that fails to escape or split the terminator. This breaks the assumption that CDATA content is safe from injection, enabling XML structure injection.

dailycve form:

Platform: @xmldom/xmldom
Version: <=0.8.6
Vulnerability: CDATA Injection
Severity: Critical
date: 2022-08-25

Prediction: 2022-09-15

Analytics under heading What Undercode Say:

Check if your package is vulnerable
npm list @xmldom/xmldom | grep -E '@xmldom/xmldom@(0.[0-7].|0.8.[0-6])'
// Test script to validate CVE-2022-37616
const { DOMParser, XMLSerializer, DOMImplementation } = require('@xmldom/xmldom');
const doc = new DOMImplementation().createDocument(null, 'root', null);
const cdata = doc.createCDATASection('safe]]><injected/>');
doc.documentElement.appendChild(cdata);
const output = new XMLSerializer().serializeToString(doc);
console.log(output.includes('<injected/>') ? 'VULNERABLE' : 'PATCHED');

Exploit:

<!-- Payload injected into CDATA -->
<root><![CDATA[bash]]><injected tag="pwn"/>]]></root>
<!-- Resulting serialized output creates new elements -->
<root><![CDATA[bash]]><injected tag="pwn"/><![CDATA[]]></root>

Protection from this CVE

Update to version 0.8.7 or later. If patching is not immediate, validate all user input to reject the `]]>` sequence before passing data to CDATA creation methods. Implement a content security policy for downstream XML consumers to prevent processing of injected elements.

Impact

An attacker can inject arbitrary XML elements into trusted documents, leading to business-logic manipulation (e.g., elevating privileges via <role>admin</role>), bypassing security controls, and corrupting data integrity in XML-based integrations (SOAP, RSS, configuration files).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top