[email protected] rejected Risk: 100 MIT 2013-05-09

libxmljs @0.8.1

rejected

This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.

npm Repository Tarball

100

Risk Score

MIT

License

Yes

Install Scripts

Dependencies

Dev Dependencies

1155.5 KB

Package Size

2013-05-09

Published

libxml bindings for v8 javascript engine

Maintainers

polotekshtylman

Dependencies (1)

Package	Constraint	Registry Status
bindings	1.0.0	auto_approved

Dev Dependencies (1)

Package	Constraint	Registry Status
nodeunit	*	auto_approved

Transitive Dependency Tree

1 transitive deps max depth 1

├─ bindings 1.0.0 → 1.0.0

Risk Dispositions (3 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule	Source	Disposition	Author	Reason
`osv:GHSA-6433-x5p4-8jc7`	osv	reject	AI	AI (osv): CRITICAL type confusion RCE/DoS vulnerability affecting all versions <= 1.0.11 with no fix available; generalizes to all current versions.
`osv:GHSA-mg49-jqgw-gcj6`	osv	reject	AI	AI (osv): CRITICAL type confusion RCE/DoS vulnerability affecting all versions <= 1.0.11 with no fix available; generalizes to all current versions.
`osv:GHSA-jv72-59wq-8rxm`	osv	reject	AI	AI (osv): HIGH severity DoS via segfault affecting all versions <= 1.0.11 with no fix available; generalizes to all current versions.

SAST Findings (5)

CRITICAL GHSA-6433-x5p4-8jc7: libxmljs vulnerable to type confusion when parsing specially crafted XML osv

[Always reject] CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking a function on the result of `attrs()` that was called on a parsed node. This vulnerability might lead to denial of service (on both 32-bit systems and 64-bit systems), data leak, infinite loop and remote code execution (on 32-bit systems with the XML_PARSE_HUGE flag enabled).

CRITICAL GHSA-jv72-59wq-8rxm: libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS) osv

[Always reject] CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS).

CRITICAL GHSA-mg49-jqgw-gcj6: libxmljs vulnerable to type confusion when parsing specially crafted XML osv

[Always reject] CVSS 8.1 (HIGH) — CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H libxmljs is vulnerable to a type confusion vulnerability when parsing a specially crafted XML while invoking the `namespaces()` function (which invokes `_wrap__xmlNode_nsDef_get()`) on a grand-child of a node that refers to an entity. This vulnerability can lead to denial of service and remote code execution.

HIGH GHSA-773h-w45w-f2f9: Denial of service vulnerability exists in libxmljs osv

CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H libxmljs provides libxml bindings for v8 javascript engine. This affects all versions of package libxmljs. When invoking the libxmljs.parseXml function with a non-buffer argument the V8 code will attempt invoking the .toString method of the argument. If the argument's toString value is not a Function object V8 will crash.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 100 (capped from 148). Findings: 3 critical (+120), 1 high (+25), 1 low (+3), 1 info (+0).

Published to npm: 2013-05-09