Update @xmldom/xmldom to address this: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom · CVE-2022-37616 · GitHub Advisory Database · GitHub
Hi @janpe
Would you mind clarifying what the vulnerability would allow an attacker to do? My understanding is that xmldom
is only used by Expo during the prebuild
process. Is this something that could cause problems if someone downloads the source code for a maliciously created Expo app and runs npx expo prebuild
?
Hi! I have a habit of keeping dependencies up to date especially when there are mentions of vulnerabilities. I’m not even familiar with what xmldom does, but noticed a warning about this in my project. But feel free to ignore this if if you feel that this is unnecessary.
OK, well, one thing to keep in mind is that Expo uses xmldom only during the build process. It’s not embedded/used in your app (unless you add it as a dependency). It is used for things like adding stuff to AndroidManifest.xml
and Info.plist
.
So I think the only way it could be a problem is if someone creates an Expo app with some malicious source code and then convinces someone to run npx expo prebuild
or npx expo run
(which calls prebuild) or eas build
(which calls prebuild. If they use the --local
option it will run the build on their own machine. Otherwise it will be run on one of the build servers).
I had a look at the description of the bug and have a vague ides of what the problem was, but I don’t know how it can be exploited, so I can’t say how likely the above scenario is.
But npx expo prebuild
can run arbitrary JavaScript code anyway. And with build lifecycle hooks they could run any arbitrary commands that happen to be available. Also, when you install JS dependencies they can run post-install
scripts which is again arbitrary code, basically. (See GitHub - naugtur/can-i-ignore-scripts)
Also, if someone wants to exploit you via @xmldom/xmldom
they could reference an older version of it in their dependencies
before convincing you to download it and run npx expo prebuild
.
Note: I am just another Expo user. I don’t know what the Expo team thinks about this.
EDIT: See also: https://twitter.com/dan_abramov/status/1412776197528997894
Seems to be updated now
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.