### Impactxmldom versions 0.4.0 and older do not correctly preserve [system identifiers](https://www.w3.org/TR/2008/REC-xml-20081126/#d0e4313), [FPIs](https://en.wikipedia.org/wiki/Formal_Public_Identifier) or [namespaces](https://www.w3.org/TR/xml-names11/) when repeatedly parsing and serializing maliciously crafted documents.This may lead to unexpected syntactic changes during XML processing in some downstream applications.### PatchesUpdate to 0.5.0 (once it is released)### WorkaroundsDownstream applications can validate the input and reject the maliciously crafted documents.### ReferencesSimilar to this one reported on the Go standard library:- https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/### For more informationIf you have any questions or comments about this advisory:* Open an issue in [`xmldom/xmldom`](https://github.com/xmldom/xmldom)* Email us: send an email to **all** addresses that are shown by `npm owner ls xmldom`