Is xmldom safe to use?

xmldom has 7 known vulnerabilities on the latest version (0.6.0). DepScope rates its health at 37/100 (critical risk).

What is the latest version of xmldom?

The latest version of xmldom is 0.6.0, released 2021-04-17.

Yes. xmldom has 7 known vulnerabilities. See depscope.dev/pkg/npm/xmldom for details.

No, xmldom is actively maintained. Latest release: 0.6.0 (2021-04-17).

Popular alternatives to xmldom in npm include: debug, chalk, picomatch, source-map, has-flag.

npmv0.6.0

A pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module.

License MITpermissive36 versions2 maintainers0 deps1,514,456 weekly dl

/ 100

Health

do not use

xmldom has critical vulnerabilities — do not use

Update to >= 0.9.10 to fix known vulnerabilities

Health breakdown0 – 100

0/25

maintenance

17/20

popularity

0/25

security

15/15

maturity

5/15

community

Vulnerabilities

1 critical5 high1 medium

Advisories (7)

Severity	ID	Summary	Fixed in
high	CVE-2026-41673	xmldom: Uncontrolled recursion in XML serialization leads to DoS	0.9.10
medium	CVE-2021-32796	Misinterpretation of malicious XML input	0.7.0
critical	CVE-2022-39353	xmldom allows multiple root nodes in a DOM	0.9.0-beta.4
high	CVE-2026-41674	xmldom has XML injection through unvalidated DocumentType serialization	0.9.10
high	CVE-2026-41672	xmldom has XML node injection through unvalidated comment serialization	0.9.10
high	CVE-2026-34601	xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion	0.9.9
high	CVE-2026-41675	xmldom has XML node injection through unvalidated processing instruction serialization	0.9.10

🌟

7/10typed

Types from @types/xmldom (DefinitelyTyped)

Quality signals

Publish security

npm signed

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/npm/xmldom