CVE-2022-39353
CVE-2022-39353 is a critical-severity vulnerability in Xmldom Project Xmldom with a CVSS 3.x base score of 9.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: Critical (CVSS 3.x base score 9.4)
- EPSS exploit prediction: 1% (64th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Xmldom Project Xmldom
- Published:
- Last modified:
Description
xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
Frequently asked questions
- What is CVE-2022-39353?
- xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the `childNodes` collection of the `Document`, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to issuance of CVE-2022-39299 as it is a potential issue for dependents. Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a workaround, please one of the following approaches depending on your use case: instead of searching for elements in the whole DOM, only search in the `documentElement`or reject a document with a document that has more then 1 `childNode`.
- How severe is CVE-2022-39353?
- CVE-2022-39353 has a CVSS 3.x base score of 9.4, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability high.
- Is CVE-2022-39353 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (64th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-39353?
- CVE-2022-39353 primarily affects Xmldom Project Xmldom. In total, 5 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-39353?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2022-39353 published?
- CVE-2022-39353 was published on 2022-11-02 and last updated on 2026-06-17.
References
- https://github.com/jindw/xmldom/issues/150
- https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
- https://lists.debian.org/debian-lts-announce/2023/01/msg00000.html
Affected products (5)
- cpe:2.3:a:xmldom_project:xmldom:*:*:*:*:*:node.js:*:*
- cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta1:*:*:*:node.js:*:*
- cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta2:*:*:*:node.js:*:*
- cpe:2.3:a:xmldom_project:xmldom:0.9.0:beta3:*:*:*:node.js:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Xmldom Project Xmldom
- CVE-2022-37616 — Critical (CVSS 9.8): A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom)…
- CVE-2021-32796 — Medium (CVSS 6.5): xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.…
- CVE-2021-21366 — Medium (CVSS 4.3): xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom…
All CVEs affecting Xmldom Project Xmldom →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →