node-xmldom - Debian Package Tracker

general

source: node-xmldom (main)
version: 0.9.10-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Bastien Roucariès [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.5.0-1+deb11u2
oldstable: 0.8.6-1
stable: 0.9.6-1
testing: 0.9.9-1
unstable: 0.9.10-1

versioned links

0.5.0-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.8.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.9-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.9.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-xmldom

action needed

5 security issues in trixie high

There are 5 open security issues in trixie.

4 important issues:

CVE-2026-41672: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

1 issue left for the package maintainer to handle:

CVE-2026-34601: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-03 Last update: 2026-05-08 07:00

4 security issues in forky high

There are 4 open security issues in forky.

4 important issues:

CVE-2026-41672: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

Created: 2026-05-07 Last update: 2026-05-08 07:00

6 security issues in bullseye high

There are 6 open security issues in bullseye.

4 important issues:

CVE-2026-41672: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

1 issue postponed or untriaged:

CVE-2026-34601: (postponed; to be fixed through a stable update) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.

1 ignored issue:

CVE-2021-32796: xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

Created: 2026-05-07 Last update: 2026-05-08 07:00

5 security issues in bookworm high

There are 5 open security issues in bookworm.

4 important issues:

CVE-2026-41672: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment-breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41673: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41674: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.
CVE-2026-41675: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?>. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. This issue has been patched in versions @xmldom/xmldom versions 0.9.10 and 0.8.13.

1 issue left for the package maintainer to handle:

CVE-2026-34601: (needs triaging) xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator ]]> to be inserted into a CDATASection node. During serialization, XMLSerializer emitted the CDATA content verbatim without rejecting or safely splitting the terminator. As a result, data intended to remain text-only became active XML markup in the serialized output, enabling XML structure injection and downstream business-logic manipulation. This issue has been patched in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and 0.9.9.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-04-03 Last update: 2026-05-08 07:00

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-12 Last update: 2026-05-15 16:02

testing migrations

excuses:
- Migration status for node-xmldom (0.9.9-1 to 0.9.10-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for node-speech-rule-engine/4.0.7+~0.1.31-2: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻, loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-svg2ttf/6.0.3+~cs4.8.1-1: amd64: No tests, superficial or marked flaky ♻, arm64: No tests, superficial or marked flaky ♻, i386: No tests, superficial or marked flaky ♻, loong64: Test triggered, ppc64el: No tests, superficial or marked flaky ♻, riscv64: No tests, superficial or marked flaky ♻, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-xmldom/0.9.10-1: amd64: Pass, arm64: Pass, i386: Regression ♻ (reference ♻), loong64: Test triggered, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-xmldom.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 8 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-05-06] Accepted node-xmldom 0.9.10-1 (source) into unstable (Xavier Guimard)
[2026-04-08] node-xmldom 0.9.9-1 MIGRATED to testing (Debian testing watch)
[2026-04-06] Accepted node-xmldom 0.9.9-1 (source) into unstable (Xavier Guimard)
[2026-01-10] node-xmldom 0.9.8-2 MIGRATED to testing (Debian testing watch)
[2026-01-08] Accepted node-xmldom 0.9.8-2 (source) into unstable (Santiago Vila)
[2026-01-08] node-xmldom 0.9.8-1 MIGRATED to testing (Debian testing watch)
[2026-01-05] Accepted node-xmldom 0.9.8-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-01-15] node-xmldom 0.9.6-1 MIGRATED to testing (Debian testing watch)
[2025-01-13] Accepted node-xmldom 0.9.6-1 (source) into unstable (Jérémy Lal)
[2025-01-13] node-xmldom REMOVED from testing (Debian testing watch)
[2024-10-28] Accepted node-xmldom 0.9.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-01-01] Accepted node-xmldom 0.1.27+ds-1+deb10u2 (source) into oldstable (Guilhem Moulin)
[2022-12-10] Accepted node-xmldom 0.5.0-1+deb11u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-11-26] node-xmldom 0.8.6-1 MIGRATED to testing (Debian testing watch)
[2022-11-24] Accepted node-xmldom 0.8.6-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-10-18] Accepted node-xmldom 0.1.27+ds-1+deb10u1 (source all) into oldstable (Yadd) (signed by: Xavier Guimard)
[2022-10-15] Accepted node-xmldom 0.5.0-1+deb11u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-10-14] node-xmldom 0.8.3-1 MIGRATED to testing (Debian testing watch)
[2022-10-12] Accepted node-xmldom 0.8.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-25] node-xmldom 0.7.5-1 MIGRATED to testing (Debian testing watch)
[2021-11-22] Accepted node-xmldom 0.7.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-08-30] node-xmldom 0.7.3-1 MIGRATED to testing (Debian testing watch)
[2021-08-28] Accepted node-xmldom 0.7.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-21] node-xmldom 0.5.0-1 MIGRATED to testing (Debian testing watch)
[2021-04-14] Accepted node-xmldom 0.5.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-12-25] node-xmldom 0.4.0-2 MIGRATED to testing (Debian testing watch)
[2020-12-22] Accepted node-xmldom 0.4.0-2 (source) into unstable (Xavier Guimard)
[2020-12-22] Accepted node-xmldom 0.4.0-1 (source) into unstable (Xavier Guimard)
[2018-12-13] node-xmldom 0.1.27+ds-1 MIGRATED to testing (Debian testing watch)
[2018-12-05] Accepted node-xmldom 0.1.27+ds-1 (source all) into unstable, unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.9.8-2