Update @xmldom/xmldom to address this: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom · CVE-2022-37616 · GitHub Advisory Database · GitHub
Would you mind clarifying what the vulnerability would allow an attacker to do? My understanding is that
xmldom is only used by Expo during the
prebuild process. Is this something that could cause problems if someone downloads the source code for a maliciously created Expo app and runs
npx expo prebuild?
Hi! I have a habit of keeping dependencies up to date especially when there are mentions of vulnerabilities. I’m not even familiar with what xmldom does, but noticed a warning about this in my project. But feel free to ignore this if if you feel that this is unnecessary.
OK, well, one thing to keep in mind is that Expo uses xmldom only during the build process. It’s not embedded/used in your app (unless you add it as a dependency). It is used for things like adding stuff to
So I think the only way it could be a problem is if someone creates an Expo app with some malicious source code and then convinces someone to run
npx expo prebuild or
npx expo run (which calls prebuild) or
eas build (which calls prebuild. If they use the
--local option it will run the build on their own machine. Otherwise it will be run on one of the build servers).
I had a look at the description of the bug and have a vague ides of what the problem was, but I don’t know how it can be exploited, so I can’t say how likely the above scenario is.
post-install scripts which is again arbitrary code, basically. (See GitHub - naugtur/can-i-ignore-scripts)
Also, if someone wants to exploit you via
@xmldom/xmldom they could reference an older version of it in their
dependencies before convincing you to download it and run
npx expo prebuild.
Note: I am just another Expo user. I don’t know what the Expo team thinks about this.
EDIT: See also: https://twitter.com/dan_abramov/status/1412776197528997894
Seems to be updated now
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.