CVE-2023-26920 Overview
CVE-2023-26920 is a Prototype Pollution vulnerability affecting fast-xml-parser, a popular npm package used for parsing XML documents in JavaScript applications. The vulnerability exists in versions prior to 4.1.2, where the parser fails to sanitize the __proto__ property when processing XML attribute names and element names. This allows an attacker to inject properties into JavaScript Object prototypes through specially crafted XML input.
Critical Impact
Attackers can exploit this vulnerability to pollute JavaScript Object prototypes via malicious XML input, potentially leading to denial of service, property injection, or in some cases, remote code execution depending on how the parsed data is subsequently used by the application.
Affected Products
- naturalintelligence fast_xml_parser versions prior to 4.1.2
Discovery Timeline
- 2023-12-12 - CVE CVE-2023-26920 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-26920
Vulnerability Analysis
Prototype Pollution is a JavaScript-specific vulnerability that occurs when user-controlled input can modify the prototype of base objects like Object.prototype. In the case of fast-xml-parser, the vulnerability exists because the library does not sanitize property names when parsing XML attributes and child elements.
When an attacker supplies XML with attribute names or element tags containing __proto__, the parser directly uses these values as object keys. This allows the attacker to inject or modify properties on the Object prototype, which will then be inherited by all JavaScript objects in the application. The impact can range from denial of service to arbitrary code execution, depending on how the application processes the polluted objects.
Root Cause
The root cause lies in the absence of input validation for reserved JavaScript property names in two key files: OrderedObjParser.js and xmlNode.js. When processing XML attributes and child nodes, the parser directly used the provided names as object keys without checking for dangerous prototype-related properties like __proto__.
Attack Vector
The attack is conducted over the network, requiring the attacker to submit crafted XML input to an application using a vulnerable version of fast-xml-parser. The attacker needs low-level privileges (such as the ability to submit XML data to the application) and requires no user interaction. By including XML elements or attributes named __proto__, the attacker can pollute the Object prototype when the XML is parsed.
The security patch addresses this vulnerability by detecting and sanitizing the __proto__ property name:
if (this.options.transformAttributeName) {
aName = this.options.transformAttributeName(aName);
}
+ if(aName === "__proto__") aName = "#__proto__";
if (oldVal !== undefined) {
if (this.options.trimValues) {
oldVal = oldVal.trim();
Source: GitHub Commit for XML Parser
Additional fixes were applied in the xmlNode.js file:
}
add(key,val){
// this.child.push( {name : key, val: val, isCdata: isCdata });
+ if(key === "__proto__") key = "#__proto__";
this.child.push( {[key]: val });
}
addChild(node) {
+ if(node.tagname === "__proto__") node.tagname = "#__proto__";
if(node[":@"] && Object.keys(node[":@"]).length > 0){
this.child.push( { [node.tagname]: node.child, [":@"]: node[":@"] });
}else{
Source: GitHub Commit for XML Parser
Detection Methods for CVE-2023-26920
Indicators of Compromise
- XML input containing __proto__ as element names or attribute names in application logs
- Unexpected property pollution detected in JavaScript objects during application debugging
- Anomalous behavior in downstream code that processes parsed XML data
- Application crashes or unexpected behavior following XML parsing operations
Detection Strategies
- Implement Software Composition Analysis (SCA) tools to identify vulnerable versions of fast-xml-parser (< 4.1.2) in your dependency tree
- Monitor application logs for XML payloads containing suspicious property names like __proto__, constructor, or prototype
- Use runtime application self-protection (RASP) to detect prototype pollution attempts
- Deploy Web Application Firewalls (WAF) with rules to block XML payloads containing prototype pollution patterns
Monitoring Recommendations
- Audit npm dependencies regularly using npm audit or similar security scanning tools
- Implement logging for XML parsing operations to identify suspicious input patterns
- Monitor for unexpected modifications to Object.prototype in runtime environments
- Set up alerts for security advisories related to fast-xml-parser and similar XML parsing libraries
How to Mitigate CVE-2023-26920
Immediate Actions Required
- Upgrade fast-xml-parser to version 4.1.2 or later immediately
- Audit your application codebase for usage of fast-xml-parser and verify all instances are updated
- Review dependency lock files (package-lock.json, yarn.lock) to ensure no transitive dependencies use vulnerable versions
- Test application functionality after upgrading to ensure compatibility
Patch Information
The vulnerability has been addressed in fast-xml-parser version 4.1.2. The fix implements sanitization of the __proto__ property by replacing it with #__proto__ during parsing operations. This prevents the dangerous prototype pollution while still preserving the data in a safe format.
Review the GitHub Security Advisory GHSA-793h-6f7r-6qvm for complete details on the security fix. The patch commit is available at GitHub Commit for XML Parser.
Workarounds
- Implement input validation to reject XML containing __proto__ attribute or element names before parsing
- Use Object.freeze(Object.prototype) as a temporary measure to prevent prototype modification (note: this may break some applications)
- Wrap parsed output with Object.create(null) to create prototype-less objects when possible
# Update fast-xml-parser to the patched version
npm update fast-xml-parser@^4.1.2
# Verify the installed version
npm list fast-xml-parser
# Run npm audit to check for other vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
