- Package:
- src:node-min-document
- Source:
- src:node-min-document
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-03-08 17:45:03 UTC
- Severity:
- normal
- Tags:
Hi Yadd, The following vulnerability was published for node-min-document. Disclaimer: did make it deliberately RC while maybe not directly warrranted because the module seems unamaintained/obsolete upstream. Feel free to downgrade to important if you disagree. Should it be removed from unstable? CVE-2025-57352[0]: | A vulnerability exists in the 'min-document' package prior to | version 2.19.0, stemming from improper handling of namespace | operations in the removeAttributeNS method. By processing malicious | input involving the __proto__ property, an attacker can manipulate | the prototype chain of JavaScript objects, leading to denial of | service or arbitrary code execution. This issue arises from | insufficient validation of attribute namespace removal operations, | allowing unintended modification of critical object prototypes. The | vulnerability remains unaddressed in the latest available version. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-57352 https://www.cve.org/CVERecord?id=CVE-2025-57352 [1] https://github.com/Raynos/min-document/issues/54 Regards, Salvatore
Le 25/09/2025 à 21:19, Salvatore Bonaccorso a écrit : Upstream response is "This library is unmaintained / deprecated"... IMO in unstable: upgrade reverse-dependencies to no more use it
Hi, Yes, this is the reason I mentioned it in above "disclaimer", think if this is the situation we should look to have it dropped from forky. If you agree, would you take care of updating the reverse dependencies / fill bugs? Otherwise with the RC level severity some autoremovals will be triggered and I guess help with the goal for forky. Regards, Salvatore