CVE-2026-34601 Overview
CVE-2026-34601 is an XML Injection vulnerability in xmldom, a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. The vulnerability allows attackers to inject malicious XML markup by inserting attacker-controlled strings containing the CDATA terminator ]]> into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator, causing data intended to remain text-only to become active XML markup in the serialized output.
Critical Impact
This vulnerability enables XML structure injection and downstream business-logic manipulation, allowing attackers to break out of CDATA sections and inject arbitrary XML elements that will be processed by downstream parsers.
Affected Products
- xmldom versions 0.6.0 and prior
- @xmldom/xmldom versions prior to 0.8.12
- @xmldom/xmldom versions prior to 0.9.9
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34601 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34601
Vulnerability Analysis
This vulnerability is classified under CWE-91 (XML Injection). The core issue lies in the createCDATASection method's failure to validate input data for the presence of the CDATA terminator sequence ]]>. In XML, CDATA sections are delimited by <![CDATA[ at the start and ]]> at the end. When user-controlled data containing the ]]> sequence is placed within a CDATA section and subsequently serialized, the embedded terminator prematurely closes the CDATA section, allowing any following content to be interpreted as active XML markup rather than literal text.
The network-based attack vector with no required privileges or user interaction makes this vulnerability particularly concerning for applications that process XML from untrusted sources. Attackers can exploit this to manipulate document structure, inject malicious elements, or alter business logic in applications that rely on the integrity of XML data structures.
Root Cause
The root cause is the lack of input validation in the createCDATASection method. The original implementation accepted any string data without checking for the presence of the illegal ]]> sequence, which is forbidden within CDATA section content per the XML specification. The XMLSerializer then faithfully serialized this content without any safety checks, allowing the CDATA boundary to be broken during output generation.
Attack Vector
The attack exploits the trust boundary between CDATA text content and XML markup. An attacker can supply a string such as harmless text]]><malicious>injected</malicious><![CDATA[ as input to a CDATA section. When serialized, this becomes:
<![CDATA[harmless text]]><malicious>injected</malicious><![CDATA[]]>
The <malicious>injected</malicious> portion is now interpreted as active XML elements by any downstream parser, enabling XML structure injection and potential business-logic manipulation.
Security Patch (index.d.ts):
createAttributeNS(namespace: string | null, qualifiedName: string): Attr;
/**
- * Returns a CDATASection node whose data is data.
+ * Returns a new CDATASection node whose data is `data`.
*
- * [MDN Reference](https://developer.mozilla.org/docs/Web/API/Document/createCDATASection)
+ * __This implementation differs from the specification:__ - calling this method on an HTML
+ * document does not throw `NotSupportedError`.
+ *
+ * @throws {DOMException}
+ * With code `INVALID_CHARACTER_ERR` if `data` contains `"]]>"`.
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/Document/createCDATASection
+ * @see https://dom.spec.whatwg.org/#dom-document-createcdatasection
*/
createCDATASection(data: string): CDATASection;
Source: GitHub Commit Details
Security Patch (lib/dom.js):
return node;
},
/**
+ * Returns a new CDATASection node whose data is `data`.
+ *
+ * __This implementation differs from the specification:__ - calling this method on an HTML
+ * document does not throw `NotSupportedError`.
+ *
* @param {string} data
* @returns {CDATASection}
+ * @throws {DOMException}
+ * With code `INVALID_CHARACTER_ERR` if `data` contains `"]]>"`.
+ * @see https://developer.mozilla.org/en-US/docs/Web/API/Document/createCDATASection
+ * @see https://dom.spec.whatwg.org/#dom-document-createcdatasection
*/
createCDATASection: function (data) {
+ if (data.indexOf(']]>') !== -1) {
+ throw new DOMException(DOMException.INVALID_CHARACTER_ERR, 'data contains "]]>"');
+ }
var node = new CDATASection(PDC);
node.ownerDocument = this;
node.childNodes = new NodeList();
Source: GitHub Commit Details
Detection Methods for CVE-2026-34601
Indicators of Compromise
- Input strings containing the ]]> sequence being passed to XML processing functions
- Unexpected XML structure changes in serialized output compared to expected document structure
- Application errors or exceptions related to XML parsing failures downstream from xmldom processing
- Log entries showing INVALID_CHARACTER_ERR exceptions after patching (indicating potential exploitation attempts)
Detection Strategies
- Implement input validation monitoring to detect strings containing ]]> sequences before they reach XML processing components
- Deploy application-layer logging to capture and analyze all data being processed through createCDATASection calls
- Use static application security testing (SAST) tools to identify vulnerable xmldom versions in your codebase
- Monitor dependency manifests (package.json, package-lock.json) for vulnerable xmldom versions
Monitoring Recommendations
- Configure SentinelOne Singularity to monitor Node.js applications for suspicious XML processing patterns
- Enable runtime application self-protection (RASP) capabilities to detect and block XML injection attempts
- Set up alerting for any DOMException errors with INVALID_CHARACTER_ERR codes in application logs
- Monitor network traffic for payloads containing CDATA terminator sequences targeting XML endpoints
How to Mitigate CVE-2026-34601
Immediate Actions Required
- Upgrade xmldom to version 0.6.0 or later
- Upgrade @xmldom/xmldom to version 0.8.12 or 0.9.9 or later
- Audit application code for any custom handling of CDATA sections that may bypass the library's validation
- Review and validate all XML input sources to ensure untrusted data is properly sanitized
Patch Information
The vulnerability has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9. The fix adds validation in the createCDATASection method to throw a DOMException with code INVALID_CHARACTER_ERR if the input data contains the ]]> sequence. This prevents the creation of CDATASection nodes with potentially malicious content that could break out of CDATA boundaries during serialization.
Patches are available through the following resources:
Workarounds
- Implement input sanitization to strip or escape ]]> sequences from user-controlled data before passing to CDATA processing
- Use allowlist validation for characters permitted in CDATA content
- Consider using alternative XML encoding methods (such as entity encoding) for untrusted content instead of CDATA sections
- Deploy a Web Application Firewall (WAF) rule to detect and block requests containing CDATA terminator patterns
# Update xmldom to patched version
npm update xmldom@latest
# Or for @xmldom/xmldom scoped package
npm update @xmldom/xmldom@latest
# Verify installed version
npm list xmldom
npm list @xmldom/xmldom
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
