Ddos 
A significant vulnerability has been discovered in xmldom, a massive JavaScript library with over 23.5 million weekly downloads.The flaw, tracked as CVE-2026-34601 with a CVSS score of 7.5, allows for a sophisticated form of XML injection that can turn simple text into active, malicious markup.
CDATA sections in XML are designed to be “safe zones” where developers can put raw textβlike code or special charactersβwithout the XML parser treating it as functional code.
The vulnerability exists because @xmldom/xmldom allowed the CDATA terminator (]]>) to be inserted into these sections without proper validation. When the library serializes this data back into a string, it emits the content verbatim. An attacker can use this “terminator” to end the safe zone prematurely and inject their own XML elements right after it.
While the direct method to create these sections is Document.createCDATASection(), researchers found several paths that bypass initial guards:
- CharacterData methods: Using appendData(), replaceData(), or insertData().
- Direct Assignments: Assigning values directly to .data or .textContent.
If an application uses xmldom to generate “trusted” documents (like RSS feeds, SOAP integrations, or data exports) and includes untrusted user input, the consequences are severe.
An attacker could inject security-relevant elements such as:
- Integrity violation of generated XML documents.
- Business-logic injection in downstream consumers (e.g., injecting <approved>true</approved>, <role>admin</role>, workflow flags, or other security-relevant elements).
- Unexpected privilege/workflow decisions if downstream logic assumes injected nodes cannot appear.
“Data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation,” the advisory explains.
Developers are urged to audit their dependency trees and update to the patched versions immediately to close this hole.
| Affected Versions | Patched Version |
|
Versions < 0.8.12 |
|
|
Versions 0.9.0 to < 0.9.9 |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
