CVE-2022-37616
Description
A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states "we are in the process of marking this report as invalid"; however, some third parties takes the position that "A prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge or deep cloning but also when a target object is polluted."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype pollution vulnerability in xmldom's dom.js copy function before version 0.8.3 allows attackers to inject properties into object prototypes via crafted XML input.
Vulnerability
Description
The vulnerability resides in the copy function within dom.js of the xmldom package (published as @xmldom/xmldom) for Node.js. It allows prototype pollution through the p variable, meaning an attacker can modify the prototype of base objects [1][4]. The vendor has disputed the validity of this report, but some third parties consider it a valid prototype pollution issue because the target object is polluted even if global objects are not directly affected [2].
Exploitation
An attacker can supply a specially crafted XML document that, when parsed by xmldom, triggers the copy function to pollute the Object prototype. No authentication is required if the application parses untrusted XML input [2][4]. The attack surface includes any Node.js application that uses xmldom to parse XML from external sources.
Impact
Successful exploitation could lead to property injection, potentially affecting application logic, security controls, or enabling further attacks such as denial of service or privilege escalation [2]. The exact impact depends on how the polluted properties are used by the application.
Mitigation
The vendor has marked the report as invalid, but the CVE remains assigned. Users are advised to upgrade to version 0.8.3 or later, which includes fixes for related issues [1][4]. As of the latest releases, the package has addressed other security concerns, and users should ensure they are on a supported version.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@xmldom/xmldomnpm | >= 0.8.0, < 0.8.3 | 0.8.3 |
xmldomnpm | <= 0.6.0 | — |
@xmldom/xmldomnpm | >= 0.9.0-beta.1, < 0.9.0-beta.2 | 0.9.0-beta.2 |
@xmldom/xmldomnpm | < 0.7.6 | 0.7.6 |
Affected products
3- xmldom/xmldomdescription
- ghsa-coords2 versions
>= 0.8.0, < 0.8.3+ 1 more
- (no CPE)range: >= 0.8.0, < 0.8.3
- (no CPE)range: <= 0.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- github.com/advisories/GHSA-9pgh-qqpf-7wqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37616ghsaADVISORY
- users.encs.concordia.ca/~mmannan/publications/JS-vulnerability-aisaccs2022.pdfghsaWEB
- dl.acm.org/doi/abs/10.1145/3488932.3497769ghsaWEB
- dl.acm.org/doi/pdf/10.1145/3488932.3497769ghsaWEB
- github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.jsghsaWEB
- github.com/xmldom/xmldom/blob/bc36efddf9948aba15618f85dc1addfc2ac9d7b2/lib/dom.jsghsaWEB
- github.com/xmldom/xmldom/blob/master/CHANGELOG.mdghsaWEB
- github.com/xmldom/xmldom/issues/436ghsaWEB
- github.com/xmldom/xmldom/issues/436ghsaWEB
- github.com/xmldom/xmldom/issues/436ghsaWEB
- github.com/xmldom/xmldom/pull/437ghsaWEB
- github.com/xmldom/xmldom/security/advisories/GHSA-9pgh-qqpf-7wqjghsaWEB
- lists.debian.org/debian-lts-announce/2022/10/msg00023.htmlghsamailing-listWEB
News mentions
0No linked articles in our index yet.