Prototype Pollution in fiznool/body-parser-xml
Description
body-parser-xml is vulnerable to prototype pollution via crafted XML input, allowing attackers to modify object prototype attributes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
body-parser-xml is vulnerable to prototype pollution via crafted XML input, allowing attackers to modify object prototype attributes.
Vulnerability
body-parser-xml is an XML parser middleware for Express.js that converts incoming XML data into a JSON representation using the body-parser library. Versions prior to the commit at d46ca62 are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The vulnerability exists because the parser does not sanitize XML element names such as __proto__, prototype, or constructor before using them as keys when constructing the resulting JavaScript object [1][2]. This allows an attacker to pollute the prototype of the base object, affecting all objects in the application.
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP POST request with an XML body containing a root element named __proto__ (or prototype or constructor) and nested child elements representing the properties to inject. The request must have a Content-Type header that matches XML (e.g., application/xml or text/xml), and the application must be using body-parser-xml middleware to parse the request body. No authentication is required; the attacker only needs network access to send the malicious request to the server [3]. The fix commit includes test cases demonstrating the exploitation vectors: sending <__proto__>Bob</__proto__> results in a parsed body of { parsed: {} } after the fix, but prior to the fix, such payloads would set Object.prototype.name to "Bob" [3].
Impact
Successful exploitation allows an attacker to inject arbitrary properties into the global Object.prototype. This prototype pollution can lead to various security impacts depending on the application logic, including but not limited to: property overwriting, denial of service, and potentially remote code execution if polluted properties affect security-critical operations. The attacker gains the ability to influence the behavior of all objects in the application's Node.js runtime, escalating to a full application compromise in many scenarios [2].
Mitigation
The fix was implemented in commit d46ca622560f7c9a033cd9321c61e92558150d63 by the project maintainer. A new version of body-parser-xml incorporating this fix should be released; users are advised to upgrade to the latest version as soon as possible or apply the patch manually [2][3]. As of this writing, no workaround is available beyond not using the vulnerable versions. The vulnerability has been published by huntr.dev and assigned CVE-2021-3666 [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
body-parser-xmlnpm | < 2.0.3 | 2.0.3 |
Affected products
2- fiznool/fiznool/body-parser-xmlv5Range: unspecified
Patches
1d46ca622560fFix prototype pollution vulnerability
2 files changed · +37 −1
index.js+10 −1 modified@@ -43,7 +43,16 @@ module.exports = function (bodyParser) { return next(err); } - req.body = xml || req.body; + if (xml) { + // Guard against prototype pollution + delete xml.__proto__; + delete xml.constructor; + delete xml.prototype; + + // Set result on the request body + req.body = xml; + } + next(); }); });
test.js+27 −0 modified@@ -130,4 +130,31 @@ describe('XML Body Parser', function () { .send('x<foo>test</foo><bar>test</bar></data>') .expect(400, done); }); + + it('should not set/change prototype using __proto__', function (done) { + createServer(); + request(app) + .post('/') + .set('Content-Type', 'application/xml') + .send('<__proto__><name>Bob</name></__proto__>') + .expect(200, { parsed: {} }, done); + }); + + it('should not set/change using prototype', function (done) { + createServer(); + request(app) + .post('/') + .set('Content-Type', 'application/xml') + .send('<prototype><name>Bob</name></prototype>') + .expect(200, { parsed: {} }, done); + }); + + it('should not set/change using constructor', function (done) { + createServer(); + request(app) + .post('/') + .set('Content-Type', 'application/xml') + .send('<constructor><name>Bob</name></constructor>') + .expect(200, { parsed: {} }, done); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-2ghc-6v89-pw9jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-3666ghsaADVISORY
- github.com/fiznool/body-parser-xml/commit/d46ca622560f7c9a033cd9321c61e92558150d63ghsax_refsource_MISCWEB
- huntr.dev/bounties/1-other-fiznool/body-parser-xmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.