Critical libxmljs2 Vulnerability Exposes XML Parsing to Type Confusion Attacks (CVSS 8.1)

A critical security vulnerability has been identified in libxmljs2, a widely-used Node.js library for XML parsing, exposing applications to type confusion attacks when processing specially crafted XML documents. The flaw, classified as CWE-843, carries a CVSS severity score of 8.1, placing it in the high-criticality range and signaling significant risk for any production systems relying on vulnerable versions of the package.

The vulnerability affects all versions of libxmljs2 up to and including 0.35.0, with the root package identified as the affected component. Type confusion vulnerabilities occur when a program interprets data as a different type than intended, which can lead to unpredictable behavior or exploitation depending on the context. The issue was flagged through an automated security scan and documented under advisory GHSA-78h3-pg4x-j8cv on GitHub.

Remediation requires upgrading to libxmljs2 version 0.37.0, though developers should note this may introduce breaking changes and are advised to review the changelog before deployment. Organizations with XML processing pipelines or applications handling untrusted XML input should prioritize this patch, as the attack vector—specially crafted XML—can be delivered through standard input channels. The discovery highlights the importance of continuous vulnerability monitoring for open-source dependencies in production environments.