CVE-2021-32796 Overview
CVE-2021-32796 is an Improper Output Encoding vulnerability in the xmldom JavaScript library, an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. The vulnerability exists in xmldom versions 0.6.0 and older, where the library does not correctly escape special characters when serializing elements removed from their ancestor. This encoding flaw may lead to unexpected syntactic changes during XML processing in downstream applications.
Critical Impact
Applications using vulnerable xmldom versions may be susceptible to XML injection attacks where maliciously crafted documents can alter the structure of serialized XML output, potentially bypassing security controls or manipulating application logic.
Affected Products
- xmldom versions 0.6.0 and earlier
- Node.js applications utilizing vulnerable xmldom package versions
- Downstream applications that process XML using xmldom serialization
Discovery Timeline
- 2021-07-27 - CVE-2021-32796 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32796
Vulnerability Analysis
The vulnerability stems from improper output encoding when the xmldom library serializes XML elements that have been removed from their parent nodes. When an element is detached from its ancestor and subsequently serialized, special characters such as <, &, and " are not properly escaped in attribute values. This improper encoding violates the W3C XML specification, specifically the "Well-formed constraint: No < in Attribute Values" requirement.
The root cause relates to CWE-116 (Improper Encoding or Escaping of Output) and CWE-91 (XML Injection). When special characters bypass encoding during serialization, the resulting XML output may contain syntactically significant characters in unexpected locations, fundamentally altering the document structure.
Root Cause
The serialization function in xmldom failed to apply proper character encoding when generating attribute values for elements removed from their DOM tree. The addSerializedAttribute function did not consistently replace special XML characters (<, &, ") with their corresponding entity references (<, &, ") before inserting them into the output buffer.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious XML document containing special characters in strategic locations. When this document is parsed by an application using vulnerable xmldom versions, and elements are removed from their ancestor before serialization, the special characters will pass through without proper encoding. This can result in:
- XML injection attacks that alter document structure
- Bypass of XML-based security controls (such as XML signature validation)
- Data integrity violations in XML processing pipelines
- Potential for exploitation in SAML, SOAP, or other XML-based protocols
// Security patch from lib/dom.js - Merge pull request from GHSA-5fg8-2547-mr8q
}
return true;
}
+/**
+ * Well-formed constraint: No < in Attribute Values
+ * The replacement text of any entity referred to directly or indirectly in an attribute value must not contain a <.
+ * @see https://www.w3.org/TR/xml/#CleanAttrVals
+ * @see https://www.w3.org/TR/xml/#NT-AttValue
+ */
+function addSerializedAttribute(buf, qualifiedName, value) {
+ buf.push(' ', qualifiedName, '="', value.replace(/[<&"]/g,_xmlEncoder), '"')
+}
function serializeToString(node,buf,isHTML,nodeFilter,visibleNamespaces){
if (!visibleNamespaces) {
Source: GitHub Commit Update
Detection Methods for CVE-2021-32796
Indicators of Compromise
- Presence of xmldom package versions 0.6.0 or earlier in package.json or package-lock.json
- XML output containing unescaped <, &, or " characters within attribute values
- Application logs showing XML parsing errors after serialization round-trips
- Unexpected XML structure changes in downstream processing systems
Detection Strategies
- Audit Node.js dependencies using npm audit or yarn audit to identify vulnerable xmldom versions
- Implement software composition analysis (SCA) scanning in CI/CD pipelines to detect vulnerable packages
- Monitor for XML validation errors that may indicate malformed serialization output
- Review application code for patterns where DOM elements are removed from ancestors before serialization
Monitoring Recommendations
- Enable verbose logging for XML parsing and serialization operations in applications using xmldom
- Implement XML schema validation on serialized output to detect structural anomalies
- Set up dependency vulnerability scanning alerts for the xmldom package
- Monitor for security advisories from the xmldom project via GitHub Security Advisories
How to Mitigate CVE-2021-32796
Immediate Actions Required
- Upgrade xmldom to version 0.7.0 or later immediately
- Run npm update xmldom or yarn upgrade xmldom to update the package
- Verify the update by checking package-lock.json or yarn.lock for the new version
- Test XML serialization functionality after upgrade to ensure compatibility
Patch Information
The vulnerability has been resolved in xmldom version 0.7.0. The fix introduces a new addSerializedAttribute function that properly escapes special characters (<, &, ") using the _xmlEncoder function before including them in serialized attribute values. This ensures compliance with the W3C XML specification's "Well-formed constraint: No < in Attribute Values" requirement.
The security fix is available in the GitHub commit. For additional context, review the GitHub Security Advisory GHSA-5fg8-2547-mr8q.
Workarounds
- Implement input validation to reject XML documents containing potentially malicious character sequences in attribute values
- Add post-serialization validation to verify XML output is well-formed before passing to downstream systems
- Avoid removing elements from their ancestor nodes before serialization when using vulnerable versions
- Consider using alternative XML parsing libraries if immediate upgrade is not feasible
# Configuration example
# Upgrade xmldom to patched version
npm install xmldom@0.7.0
# Verify installed version
npm list xmldom
# Alternative: Use yarn
yarn upgrade xmldom@0.7.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
