Uncontrolled Recursion in xmldom - #VU126513
Published: April 20, 2026
Vulnerability identifier: #VU126513
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-674
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: xmldom
Affected software:
xmldom
xmldom
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled recursion in lib/dom.js DOM tree traversal logic when processing a deeply nested XML document through affected DOM operations. A remote attacker can send a valid deeply nested XML document to cause a denial of service.
The XML parser can successfully parse the crafted document, and the crash occurs during subsequent DOM operations such as XML serialization, normalization, node cloning, node import, text content access, tree comparison, or element lookup.
Remediation
Install security update from vendor's website.