CVE-2021-21366 Overview
CVE-2021-21366 is an input validation vulnerability affecting xmldom, a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module widely used in Node.js applications. The vulnerability exists in xmldom versions 0.4.0 and older, where the library fails to correctly preserve system identifiers, FPIs (Formal Public Identifiers), or namespaces when repeatedly parsing and serializing maliciously crafted documents. This flaw can lead to unexpected syntactic changes during XML processing in downstream applications.
Critical Impact
Attackers can craft malicious XML documents that, when processed through affected xmldom versions, result in altered document structure potentially bypassing security controls or causing unexpected application behavior in downstream systems.
Affected Products
- xmldom_project xmldom versions 0.4.0 and older (Node.js)
- debian debian_linux 10.0
Discovery Timeline
- 2021-03-12 - CVE-2021-21366 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21366
Vulnerability Analysis
This vulnerability stems from improper handling of XML document components during the parse-serialize cycle. When xmldom processes maliciously crafted documents through multiple iterations of parsing and serialization, critical document metadata—including system identifiers, Formal Public Identifiers (FPIs), and namespace declarations—may not be correctly preserved. This interpretation discrepancy can cause the serialized output to differ syntactically from the original input in ways that downstream applications may not anticipate.
The security implications vary depending on how downstream applications process the modified XML output. Applications relying on document integrity or performing security-sensitive operations based on XML structure may be vulnerable to bypass attacks or data manipulation.
Root Cause
The root cause lies in the DOM serialization logic within lib/dom.js, where the handling of DOCTYPE declarations improperly processes public and system identifiers. The vulnerable code incorrectly wraps identifiers in quotation marks during serialization, leading to malformed output when documents are round-tripped through the parser and serializer.
Additionally, the error handling in lib/dom-parser.js contributed to the issue by not properly encapsulating parsing errors, which could mask malformed document handling during processing.
Attack Vector
The vulnerability is exploitable over the network, requiring user interaction. An attacker can craft a malicious XML document with specially formatted DOCTYPE declarations, system identifiers, or namespace constructs. When a vulnerable application parses and subsequently serializes this document (a common pattern in XML transformation pipelines), the output document will have altered syntax. This can be leveraged to:
- Bypass XML-based input validation that occurs before the parse-serialize cycle
- Inject or modify document structure in ways that affect downstream processing
- Cause application logic errors due to unexpected document structure changes
// Security patch in lib/dom.js - DOCTYPE serialization fix
// Before (vulnerable):
var sysid = node.systemId;
buf.push('<!DOCTYPE ',node.name);
if(pubid){
buf.push(' PUBLIC "',pubid);
if (sysid && sysid!='.') {
buf.push( '" "',sysid);
}
buf.push('">');
}else if(sysid && sysid!='.'){
buf.push(' SYSTEM "',sysid,'">');
}
// After (fixed):
var sysid = node.systemId;
buf.push('<!DOCTYPE ',node.name);
if(pubid){
buf.push(' PUBLIC ', pubid);
if (sysid && sysid!='.') {
buf.push(' ', sysid);
}
buf.push('>');
}else if(sysid && sysid!='.'){
buf.push(' SYSTEM ', sysid, '>');
}
Source: GitHub Commit d4201b9
// Security patch in lib/dom-parser.js - Error handling improvement
// Before (vulnerable):
fatalError:function(error) {
console.error('[xmldom fatalError]\t'+error,_locator(this.locator));
throw error;
}
// After (fixed):
fatalError:function(error) {
throw new ParseError(error, this.locator);
}
Source: GitHub Commit d4201b9
Detection Methods for CVE-2021-21366
Indicators of Compromise
- Presence of xmldom package versions 0.4.0 or older in package.json or package-lock.json files
- XML documents with unusual or malformed DOCTYPE declarations in application logs
- Discrepancies between input and output XML documents after processing pipelines
- Application errors related to unexpected XML namespace or identifier handling
Detection Strategies
- Audit Node.js application dependencies using npm audit or yarn audit to identify vulnerable xmldom versions
- Implement software composition analysis (SCA) tools to continuously monitor for vulnerable package versions
- Review XML processing logs for syntactic inconsistencies between input and serialized output
- Deploy application-level monitoring to detect anomalous XML document structure changes
Monitoring Recommendations
- Configure dependency scanning in CI/CD pipelines to flag xmldom versions below 0.5.0
- Monitor application logs for XML parsing errors or warnings related to DOCTYPE, namespace, or identifier processing
- Implement integrity checks on XML documents before and after parse-serialize operations in security-sensitive workflows
- Use SentinelOne Singularity Platform to monitor for suspicious XML processing patterns and supply chain vulnerabilities
How to Mitigate CVE-2021-21366
Immediate Actions Required
- Upgrade xmldom to version 0.5.0 or later immediately
- Audit all Node.js applications and dependencies for vulnerable xmldom versions
- Implement input validation to reject potentially malicious XML documents before processing
- Review XML processing workflows that involve repeated parsing and serialization
Patch Information
The vulnerability is fixed in xmldom version 0.5.0. The patch addresses the incorrect preservation of system identifiers, FPIs, and namespaces during the parse-serialize cycle. Organizations should update their dependencies by running:
npm update xmldom
For specific version pinning:
npm install xmldom@0.5.0
Refer to the GitHub Security Advisory GHSA-h6q6-9hqw-rwfv and Release Notes for v0.5.0 for complete details. Debian users should reference the Debian LTS Announcement for distribution-specific patches.
Workarounds
- Implement strict input validation to reject XML documents with suspicious DOCTYPE declarations or identifiers before processing
- Avoid repeated parse-serialize cycles on untrusted XML content where possible
- Add integrity verification by comparing document hashes before and after processing to detect unexpected modifications
- Consider using alternative XML parsing libraries if immediate upgrade is not feasible
# Configuration example - Verify xmldom version and update
# Check current xmldom version
npm list xmldom
# Update to patched version
npm install xmldom@^0.5.0
# Verify the update
npm list xmldom
# Run security audit
npm audit --audit-level=moderate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
