[Pkg-javascript-devel] Bug#1116340: Bug#1116340: node-min-document: CVE-2025-57352
Yadd
yadd at debian.org
Thu Sep 25 21:55:22 BST 2025
Le 25/09/2025 à 21:19, Salvatore Bonaccorso a écrit :
> Source: node-min-document
> Version: 2.19.0+~cs2.20.2-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/Raynos/min-document/issues/54
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi Yadd,
>
> The following vulnerability was published for node-min-document.
>
> Disclaimer: did make it deliberately RC while maybe not directly
> warrranted because the module seems unamaintained/obsolete upstream.
> Feel free to downgrade to important if you disagree.
>
> Should it be removed from unstable?
>
> CVE-2025-57352[0]:
> | A vulnerability exists in the 'min-document' package prior to
> | version 2.19.0, stemming from improper handling of namespace
> | operations in the removeAttributeNS method. By processing malicious
> | input involving the __proto__ property, an attacker can manipulate
> | the prototype chain of JavaScript objects, leading to denial of
> | service or arbitrary code execution. This issue arises from
> | insufficient validation of attribute namespace removal operations,
> | allowing unintended modification of critical object prototypes. The
> | vulnerability remains unaddressed in the latest available version.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2025-57352
> https://www.cve.org/CVERecord?id=CVE-2025-57352
> [1] https://github.com/Raynos/min-document/issues/54
Upstream response is "This library is unmaintained / deprecated"...
IMO in unstable: upgrade reverse-dependencies to no more use it
More information about the Pkg-javascript-devel
mailing list