node-xmldom - Debian Package Tracker

general

source: node-xmldom (main)
version: 0.9.10-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Bastien Roucariès [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.5.0-1+deb11u2
oldstable: 0.8.6-1
stable: 0.9.6-1
testing: 0.9.9-1
unstable: 0.9.10-1

versioned links

0.5.0-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-xmldom

action needed

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2026-41672: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

Created: 2026-05-07 Last update: 2026-05-22 22:17

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-12 Last update: 2026-05-26 09:03

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2026-34601: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
CVE-2026-41672: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-03 Last update: 2026-05-22 22:17

5 low-priority security issues in bookworm low

There are 5 open security issues in bookworm.

5 issues left for the package maintainer to handle:

CVE-2026-34601: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.
CVE-2026-41672: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-04-03 Last update: 2026-05-22 22:17

testing migrations

excuses:
- Migration status for node-xmldom (0.9.9-1 to 0.9.10-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for node-xmldom/0.9.10-1: amd64: Pass, arm64: Pass, i386: Regression ♻ (reference ♻), ppc64el: Pass, riscv64: Pass, s390x: Pass
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-xmldom.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 19 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-06] Accepted node-xmldom 0.9.10-1 (source) into unstable (Xavier Guimard)
[2026-04-08] node-xmldom 0.9.9-1 MIGRATED to testing (Debian testing watch)
[2026-04-06] Accepted node-xmldom 0.9.9-1 (source) into unstable (Xavier Guimard)
[2026-01-10] node-xmldom 0.9.8-2 MIGRATED to testing (Debian testing watch)
[2026-01-08] Accepted node-xmldom 0.9.8-2 (source) into unstable (Santiago Vila)
[2026-01-08] node-xmldom 0.9.8-1 MIGRATED to testing (Debian testing watch)
[2026-01-05] Accepted node-xmldom 0.9.8-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-01-15] node-xmldom 0.9.6-1 MIGRATED to testing (Debian testing watch)
[2025-01-13] Accepted node-xmldom 0.9.6-1 (source) into unstable (Jérémy Lal)
[2025-01-13] node-xmldom REMOVED from testing (Debian testing watch)
[2024-10-28] Accepted node-xmldom 0.9.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-01-01] Accepted node-xmldom 0.1.27+ds-1+deb10u2 (source) into oldstable (Guilhem Moulin)
[2022-12-10] Accepted node-xmldom 0.5.0-1+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-11-26] node-xmldom 0.8.6-1 MIGRATED to testing (Debian testing watch)
[2022-11-24] Accepted node-xmldom 0.8.6-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-10-18] Accepted node-xmldom 0.1.27+ds-1+deb10u1 (source all) into oldstable (Yadd) (signed by: Xavier Guimard)
[2022-10-15] Accepted node-xmldom 0.5.0-1+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-10-14] node-xmldom 0.8.3-1 MIGRATED to testing (Debian testing watch)
[2022-10-12] Accepted node-xmldom 0.8.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-25] node-xmldom 0.7.5-1 MIGRATED to testing (Debian testing watch)
[2021-11-22] Accepted node-xmldom 0.7.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-08-30] node-xmldom 0.7.3-1 MIGRATED to testing (Debian testing watch)
[2021-08-28] Accepted node-xmldom 0.7.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-21] node-xmldom 0.5.0-1 MIGRATED to testing (Debian testing watch)
[2021-04-14] Accepted node-xmldom 0.5.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-12-25] node-xmldom 0.4.0-2 MIGRATED to testing (Debian testing watch)
[2020-12-22] Accepted node-xmldom 0.4.0-2 (source) into unstable (Xavier Guimard)
[2020-12-22] Accepted node-xmldom 0.4.0-1 (source) into unstable (Xavier Guimard)
[2018-12-13] node-xmldom 0.1.27+ds-1 MIGRATED to testing (Debian testing watch)
[2018-12-05] Accepted node-xmldom 0.1.27+ds-1 (source all) into unstable, unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.9.8-2