Source: node-min-document Version: 2.19.0+~cs2.20.2-2 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/Raynos/min-document/issues/54 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi Yadd, The following vulnerability was published for node-min-document. Disclaimer: did make it deliberately RC while maybe not directly warrranted because the module seems unamaintained/obsolete upstream. Feel free to downgrade to important if you disagree. Should it be removed from unstable? CVE-2025-57352[0]: | A vulnerability exists in the 'min-document' package prior to | version 2.19.0, stemming from improper handling of namespace | operations in the removeAttributeNS method. By processing malicious | input involving the __proto__ property, an attacker can manipulate | the prototype chain of JavaScript objects, leading to denial of | service or arbitrary code execution. This issue arises from | insufficient validation of attribute namespace removal operations, | allowing unintended modification of critical object prototypes. The | vulnerability remains unaddressed in the latest available version. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-57352 https://www.cve.org/CVERecord?id=CVE-2025-57352 [1] https://github.com/Raynos/min-document/issues/54 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
