[Pkg-javascript-devel] Bug#1116340: Bug#1116340: node-min-document: CVE-2025-57352

Yadd yadd at debian.org
Thu Sep 25 21:55:22 BST 2025


Le 25/09/2025 à 21:19, Salvatore Bonaccorso a écrit :
> Source: node-min-document
> Version: 2.19.0+~cs2.20.2-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/Raynos/min-document/issues/54
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> 
> Hi Yadd,
> 
> The following vulnerability was published for node-min-document.
> 
> Disclaimer: did make it deliberately RC while maybe not directly
> warrranted because the module seems unamaintained/obsolete upstream.
> Feel free to downgrade to important if you disagree.
> 
> Should it be removed from unstable?
> 
> CVE-2025-57352[0]:
> | A vulnerability exists in the 'min-document' package prior to
> | version 2.19.0, stemming from improper handling of namespace
> | operations in the removeAttributeNS method. By processing malicious
> | input involving the __proto__ property, an attacker can manipulate
> | the prototype chain of JavaScript objects, leading to denial of
> | service or arbitrary code execution. This issue arises from
> | insufficient validation of attribute namespace removal operations,
> | allowing unintended modification of critical object prototypes. The
> | vulnerability remains unaddressed in the latest available version.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2025-57352
>      https://www.cve.org/CVERecord?id=CVE-2025-57352
> [1] https://github.com/Raynos/min-document/issues/54
Upstream response is "This library is unmaintained / deprecated"...

IMO in unstable: upgrade reverse-dependencies to no more use it



More information about the Pkg-javascript-devel mailing list