[Pkg-javascript-devel] Bug#1116340: Bug#1116340: node-min-document: CVE-2025-57352

Salvatore Bonaccorso carnil at debian.org
Fri Sep 26 05:51:12 BST 2025


Hi,

On Thu, Sep 25, 2025 at 10:55:22PM +0200, Yadd wrote:
> Le 25/09/2025 à 21:19, Salvatore Bonaccorso a écrit :
> > Source: node-min-document
> > Version: 2.19.0+~cs2.20.2-2
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Forwarded: https://github.com/Raynos/min-document/issues/54
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> > 
> > Hi Yadd,
> > 
> > The following vulnerability was published for node-min-document.
> > 
> > Disclaimer: did make it deliberately RC while maybe not directly
> > warrranted because the module seems unamaintained/obsolete upstream.
> > Feel free to downgrade to important if you disagree.
> > 
> > Should it be removed from unstable?
> > 
> > CVE-2025-57352[0]:
> > | A vulnerability exists in the 'min-document' package prior to
> > | version 2.19.0, stemming from improper handling of namespace
> > | operations in the removeAttributeNS method. By processing malicious
> > | input involving the __proto__ property, an attacker can manipulate
> > | the prototype chain of JavaScript objects, leading to denial of
> > | service or arbitrary code execution. This issue arises from
> > | insufficient validation of attribute namespace removal operations,
> > | allowing unintended modification of critical object prototypes. The
> > | vulnerability remains unaddressed in the latest available version.
> > 
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2025-57352
> >      https://www.cve.org/CVERecord?id=CVE-2025-57352
> > [1] https://github.com/Raynos/min-document/issues/54
> Upstream response is "This library is unmaintained / deprecated"...
> 
> IMO in unstable: upgrade reverse-dependencies to no more use it

Yes, this is the reason I mentioned it in above "disclaimer", think if
this is the situation we should look to have it dropped from forky. If
you agree, would you take care of updating the reverse dependencies /
fill bugs? Otherwise with the RC level severity some autoremovals will
be triggered and I guess help with the goal for forky.

Regards,
Salvatore



More information about the Pkg-javascript-devel mailing list