Is xmldom safe to use?

xmldom has 7 known vulnerabilities on the latest version (0.6.0). DepScope rates its health at 40/100 (high risk).

What is the latest version of xmldom?

The latest version of xmldom is 0.6.0, released 2021-04-17.

Does xmldom have known vulnerabilities?

Yes. xmldom has 7 known vulnerabilities. See depscope.dev/pkg/npm/xmldom for details.

Is xmldom deprecated?

No, xmldom is actively maintained. Latest release: 0.6.0 (2021-04-17).

What are alternatives to xmldom?

Popular alternatives to xmldom in npm include: ?, semver, minimatch, debug, brace-expansion.

xmldom

npmv0.6.0

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

License MITpermissive36 versions2 maintainers0 deps1,624,026 weekly dl

xmldom/xmldom

/ 100

Health

do not use

xmldom has critical vulnerabilities — do not use

Update to >= 0.9.10 to fix known vulnerabilities

Moderate health score (40/100) — verify manually
5 high severity vulnerabilities
1 critical vulnerabilities

Health breakdown0 – 100

25/25

maintenance

17/20

popularity

0/25

security

15/15

maturity

5/15

community

0/15

popularity_floor

Vulnerabilities

1 critical5 high1 medium

Advisories (7)

Severity	ID	Summary	Fixed in
high	CVE-2026-41673	xmldom: Uncontrolled recursion in XML serialization leads to DoS	0.9.10
medium	CVE-2021-32796	Misinterpretation of malicious XML input	0.7.0
critical	CVE-2022-39353	xmldom allows multiple root nodes in a DOM	0.9.0-beta.4
high	CVE-2026-41674	xmldom has XML injection through unvalidated DocumentType serialization	0.9.10
high	CVE-2026-41672	xmldom has XML node injection through unvalidated comment serialization	0.9.10
high	CVE-2026-34601	xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion	0.9.9
high	CVE-2026-41675	xmldom has XML node injection through unvalidated processing instruction serialization	0.9.10

Bundle & TypeScript

📦

Bundle Size

28.0 KBminified

10.1 KB gzipped

0 direct dependencies

side effects

🌟

TypeScript

7/10typed

Types from @types/xmldom (DefinitelyTyped)

Quality signals

Publish security

npm signed

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/npm/xmldom