Skip to main content

Mozilla CVE-2026-34601

HIGH
XML Injection (aka Blind XPath Injection) (CWE-91)
2026-04-01 https://github.com/xmldom/xmldom GHSA-wh4c-j3r5-mjhp
7.5
CVSS 3.1 · Vendor: https://github.com/xmldom/xmldom
Share

Severity by source

Vendor (https://github.com/xmldom/xmldom) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/xmldom/xmldom).

CVSS VectorVendor: https://github.com/xmldom/xmldom

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 16, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 01, 2026 - 00:30 vuln.today
Patch released
Apr 01, 2026 - 00:30 nvd
Patch available
CVE Published
Apr 01, 2026 - 00:19 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on @xmldom/xmldom (4 direct, 0 indirect)
  • 1,984 npm packages depend on xmldom (850 direct, 1,160 indirect)

Ecosystem-wide dependent count for version 0.9.0 and other introduced versions.

DescriptionCVE.org

Summary

@xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation.

The sequence ]]> is not allowed inside CDATA content and must be rejected or safely handled during serialization. (MDN Web Docs)

Attack surface

Document.createCDATASection(data) is the most direct entry point, but it is not the only one. The WHATWG DOM spec intentionally does not validate ]]> in mutation methods - only createCDATASection carries that guard. The following paths therefore also allow ]]> to enter a CDATASection node and reach the serializer:

  • CharacterData.appendData()
  • CharacterData.replaceData()
  • CharacterData.insertData()
  • Direct assignment to .data
  • Direct assignment to .textContent

(Note: assigning to .nodeValue does not update .data in this implementation - the serializer reads .data directly - so .nodeValue is not an exploitable path.)

Parse path

Parsing XML that contains a CDATA section is not affected. The SAX parser's non-greedy CDSect regex stops at the first ]]>, so parsed CDATA data never contains the terminator.

---

Impact

If an application uses xmldom to generate "trusted" XML documents that embed untrusted user input inside CDATA (a common pattern in exports, feeds, SOAP/XML integrations, etc.), an attacker can inject additional XML elements/attributes into the generated document.

This can lead to:

  • Integrity violation of generated XML documents.
  • Business-logic injection in downstream consumers (e.g., injecting <approved>true</approved>, <role>admin</role>, workflow flags, or other security-relevant elements).
  • Unexpected privilege/workflow decisions if downstream logic assumes injected nodes cannot appear.

This issue does not require malformed parsers or browser behavior; it is caused by serialization producing attacker-influenced XML markup.

---

Root Cause (with file + line numbers)

File: lib/dom.js

1. No validation in createCDATASection

createCDATASection: function (data) accepts any string and appends it directly.

  • Lines 2216-2221 (0.9.8)

2. Unsafe CDATA serialization

Serializer prints CDATA sections as:

<![CDATA[ + node.data + ]]>

without handling ]]> in the data.

  • Lines 2919-2920 (0.9.8)

Because CDATA content is emitted verbatim, an embedded ]]> closes the CDATA section early and the remainder of the attacker-controlled payload is interpreted as markup in the serialized XML.

---

Proof of Concept - Fix A: createCDATASection now throws

On patched versions, passing ]]> directly to createCDATASection throws InvalidCharacterError instead of silently accepting the payload:

js
const { DOMImplementation } = require('./lib');

const doc = new DOMImplementation().createDocument(null, 'root', null);
try {
  doc.createCDATASection('SAFE]]><injected attr="pwn"/>');
  console.log('VULNERABLE - no error thrown');
} catch (e) {
  console.log('FIXED - threw:', e.name); // InvalidCharacterError
}

Expected output on patched versions:

FIXED - threw: InvalidCharacterError

---

Proof of Concept - Fix B: mutation vector now safe

On patched versions, injecting ]]> via a mutation method (appendData, replaceData, .data =, .textContent =) no longer produces injectable output. The serializer splits the terminator so the result round-trips as safe text:

js
const { DOMImplementation, XMLSerializer } = require('./lib');
const { DOMParser } = require('./lib');

const doc = new DOMImplementation().createDocument(null, 'root', null);

// Start with safe data, then mutate to include the terminator
const cdata = doc.createCDATASection('safe');
doc.documentElement.appendChild(cdata);
cdata.appendData(']]><injected attr="pwn"/><more>TEXT</more><![CDATA[');

const out = new XMLSerializer().serializeToString(doc);
console.log('Serialized:', out);

const reparsed = new DOMParser().parseFromString(out, 'text/xml');
const injected = reparsed.getElementsByTagName('injected').length > 0;
console.log('Injected element found in reparsed doc:', injected);
// VULNERABLE: true  |  FIXED: false

Expected output on patched versions:

Serialized: <root><![CDATA[safe]]]]><![CDATA[><injected attr="pwn"/><more>TEXT</more><![CDATA[]]></root>
Injected element found in reparsed doc: false

---

Fix Applied

Both mitigations were implemented:

Option A - Strict/spec-aligned: reject ]]> in createCDATASection()

Document.createCDATASection(data) now throws InvalidCharacterError (per the WHATWG DOM spec) when data contains ]]>. This closes the direct entry point.

Code that previously passed a string containing ]]> to createCDATASection and relied on the silent/unsafe behaviour will now receive InvalidCharacterError. Use a mutation method such as appendData if you intentionally need ]]> in a CDATASection node's data (the serializer split in Option B will keep the output safe).

Option B - Defensive serialization: split the terminator during serialization

XMLSerializer now replaces every occurrence of ]]> in CDATA section data with the split sequence ]]]]><![CDATA[> before emitting. This closes all mutation-vector paths that Option A alone cannot guard, and means the serialized output is always well-formed XML regardless of how ]]> entered the node.

AnalysisAI

XML injection in xmldom's CDATA serialization allows remote attackers to inject arbitrary markup into generated XML documents without authentication. The vulnerability affects both the legacy xmldom package and @xmldom/xmldom when applications embed untrusted input into CDATA sections. Attackers can break out of CDATA context by including the sequence ]]> in user-controlled strings, causing downstream XML consumers to parse injected elements as legitimate markup. Vendor-released patches are avai

Technical ContextAI

This vulnerability exploits improper handling of CDATA section terminators in the xmldom JavaScript XML parser library (both legacy npm/xmldom and modern @xmldom/xmldom packages). CDATA sections in XML allow text content that would otherwise require entity escaping (like < and &) to be written literally, bounded by <![CDATA[ and ]]> markers. The XML specification prohibits the sequence ]]> from appearing within CDATA content because it prematurely closes the section. The vulnerability stems from two implementation gaps in xmldom's DOM implementation (lib/dom.js): Document.createCDATASection() accepted any string without validating for the forbidden terminator, and XMLSerializer emitted CDATA node data verbatim (node.data wrapped in CDATA markers) without detecting or escaping embedded ]]> sequences. Additionally, mutation methods from the CharacterData interface (appendData, replaceData, insertData) and direct property assignments (.data, .textContent) could inject the terminator after node creation, bypassing any potential validation. The root cause maps to CWE-91 (XML Injection), where insufficient output encoding allows data to be reinterpreted as active markup. Notably, the SAX parser path was not vulnerable because its non-greedy regex correctly stopped at the first ]]> during parsing, but the serialization path created a roundtrip integrity failure.

RemediationAI

Upgrade to patched versions immediately: xmldom 0.8.12 or later for the legacy package, or @xmldom/xmldom 0.9.9 or later for the modern package. The fixes implement two complementary mitigations: Document.createCDATASection() now throws InvalidCharacterError when input contains the ]]> sequence (aligning with WHATWG DOM specification behavior), and XMLSerializer defensively splits any ]]> occurrences in CDATA data into the safe escaped sequence ]]]]><![CDATA[> during serialization. Applications relying on the previous permissive behavior where createCDATASection silently accepted ]]> will experience breaking changes and must handle the new exception or use mutation methods like appendData for legitimate use cases. Official patch commit is available at https://github.com/xmldom/xmldom/commit/2b852e836ab86dbbd6cbaf0537f584dd0b5ac184, with release notes at https://github.com/xmldom/xmldom/releases/tag/0.8.12 and https://github.com/xmldom/xmldom/releases/tag/0.9.9. Full advisory and migration guidance is published at https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp. No workarounds are recommended; patching is the only complete remediation. Organizations unable to immediately upgrade should audit all code paths where untrusted input flows into createCDATASection or CDATA node mutations and implement application-layer validation to reject strings containing ]]> until patches can be deployed.

CVE-2015-4495 HIGH POC
8.8 Aug 08

The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote

CVE-2013-1690 HIGH POC
8.8 Jun 26

Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before

CVE-2013-0758 CRITICAL POC
9.3 Jan 13

Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb

CVE-2013-0753 CRITICAL POC
9.3 Jan 13

Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b

CVE-2012-3993 CRITICAL POC
9.3 Oct 10

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi

CVE-2013-1710 CRITICAL POC
10.0 Aug 07

The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo

CVE-2017-3823 HIGH POC
8.8 Feb 01

An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta

CVE-2014-8636 HIGH POC
7.5 Jan 14

The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with

CVE-2013-0757 CRITICAL POC
9.3 Jan 13

The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi

CVE-2014-1510 CRITICAL POC
9.8 Mar 19

The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se

CVE-2014-1511 CRITICAL POC
9.8 Mar 19

Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo

CVE-2013-0643 HIGH
8.8 Feb 27

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-34601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy