Critical Type Confusion Vulnerability Disclosed in libxmljs2 XML Parser: All Versions <=0.35.0 Affected

A critical type confusion vulnerability has been disclosed in `libxmljs2`, a widely-used open-source XML parsing library for Node.js. The flaw, classified under CWE-843, carries a CVSS score of 8.1, placing it in the critical severity range. The vulnerability exists in all versions up to and including 0.35.0 and can be triggered when parsing specially crafted XML documents, potentially allowing attackers to exploit memory corruption or unexpected behavior in applications that depend on the library.

The issue was uncovered through automated security scanning and publicly disclosed via GitHub on April 2, 2026. The vulnerability affects the root package of `libxmljs2`, suggesting the flaw resides in core parsing logic rather than an auxiliary component. Type confusion vulnerabilities arise when a program fails to properly validate the type of data being processed, which can lead to arbitrary code execution or data integrity violations depending on how the malformed input is handled downstream.

Maintainers have released version 0.37.0 as the patched update, though they note this may constitute a breaking change requiring developers to review the changelog before upgrading. Organizations utilizing `libxmljs2` in production environments are advised to audit their dependency trees immediately, as the library's broad utility in XML-heavy applications means exposure could extend across numerous service boundaries. The full technical advisory and remediation guidance are available through the GitHub Security Advisories database.