All libxmljs versions

[email protected] rejected Risk: 100 MIT

libxmljs @0.19.10

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
100
Risk Score
MIT
License
Yes
Install Scripts
3
Dependencies
2
Dev Dependencies
1243.6 KB
Package Size
Published

libxml bindings for v8 javascript engine

Maintainers

polotekdefunctzombierchipka

Dependencies (3)

PackageConstraintRegistry Status
nan ~2.14.0 auto_approved
bindings ~1.3.0 auto_approved
@mapbox/node-pre-gyp ^1.0.9 auto_approved

Dev Dependencies (2)

PackageConstraintRegistry Status
semver ~5.5.0 No greenflagged match
nodeunit ~0.11.2 auto_approved

Transitive Dependency Tree

23 transitive deps max depth 5
  ├─ @mapbox/node-pre-gyp ^1.0.9 → 1.0.9
  ├─ bindings ~1.3.0 → 1.3.1
├─ nan ~2.14.0 → 2.14.2
  ├─ detect-libc ^2.0.0 → 2.1.2
  ├─ https-proxy-agent ^5.0.0 → 5.0.1
  ├─ make-dir ^3.1.0 → 3.1.0
  ├─ node-fetch ^2.6.7 → 2.6.13
  ├─ nopt ^5.0.0 → 5.0.0
  ├─ npmlog ^5.0.1 → 5.0.1
  ├─ rimraf ^3.0.2
  ├─ semver ^7.3.5 → 7.8.1
├─ tar ^6.1.11 → 6.2.1
  ├─ abbrev 1
  ├─ agent-base 6 → 6.0.2
  ├─ are-we-there-yet ^2.0.0
  ├─ console-control-strings ^1.1.0 → 1.1.0
  ├─ debug 4 → 4.4.3
  ├─ gauge ^3.0.0
  ├─ semver ^6.0.0 → 6.3.1
  ├─ set-blocking ^2.0.0 → 2.0.0
├─ whatwg-url ^5.0.0 → 5.0.0
  ├─ debug 4 → 4.4.3
  ├─ ms ^2.1.3 → 2.1.3
  ├─ tr46 ~0.0.3 → 0.0.3
├─ webidl-conversions ^3.0.0 → 3.0.1
  ├─ ms ^2.1.3 → 2.1.3

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-6433-x5p4-8jc7 osv reject AI AI (osv): CRITICAL type confusion RCE/DoS vulnerability affecting all versions <= 1.0.11 with no fix available; generalizes to all current versions.
osv:GHSA-mg49-jqgw-gcj6 osv reject AI AI (osv): CRITICAL type confusion RCE/DoS vulnerability affecting all versions <= 1.0.11 with no fix available; generalizes to all current versions.
osv:GHSA-jv72-59wq-8rxm osv reject AI AI (osv): HIGH severity DoS via segfault affecting all versions <= 1.0.11 with no fix available; generalizes to all current versions.

SAST Findings (4)

CRITICAL GHSA-6433-x5p4-8jc7: libxmljs vulnerable to type confusion when parsing specially crafted XML osv

[Always reject] CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).

CRITICAL GHSA-jv72-59wq-8rxm: libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS) osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS).

CRITICAL GHSA-mg49-jqgw-gcj6: libxmljs vulnerable to type confusion when parsing specially crafted XML osv

[Always reject] CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which invokes `_wrap__xmlNode_nsDef_get()`) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 100 (capped from 129). Findings: 3 critical (+120), 3 low (+9), 1 info (+0).

Commit: d1f3d50649fa Browse source

Published to npm: