Executive Summary

CVE-2026-25896 is a critical vulnerability in the fast-xml-parser library versions from 4.1.3 up to before 5.3.5. It occurs because the parser treats a dot (.) in a DOCTYPE entity name as a regex wildcard during entity replacement without properly escaping it. This allows an attacker to create custom XML entities with dots in their names that shadow the five built-in XML entities (<, >, &, ", ').

Because the dot is interpreted as a wildcard in the regular expression, the attacker can bypass XML entity encoding and inject arbitrary values. This leads to cross-site scripting (XSS) vulnerabilities when the parsed XML output is rendered in HTML contexts, such as innerHTML or server-side rendering. The vulnerability also enables injection attacks in other contexts like SQL by shadowing the & entity.

The root cause is the failure to escape regex metacharacters, especially the dot, when constructing regular expressions for entity replacement. The vulnerability affects default configurations and requires no special parser options or privileges to exploit.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts if you use fast-xml-parser to parse untrusted XML data and then use the parsed output in injection-sensitive contexts such as HTML or SQL.

• Allows attackers to bypass XML entity encoding, enabling injection of arbitrary HTML or JavaScript code leading to cross-site scripting (XSS).
• Enables injection of malicious SQL commands by shadowing the & entity, potentially leading to SQL injection attacks.
• No special privileges or user interaction are required, making exploitation relatively easy.
• Can compromise the integrity of applications by allowing attackers to inject malicious content, potentially leading to data theft, session hijacking, or other attacks.

Overall, the vulnerability poses a critical risk to applications relying on fast-xml-parser for XML processing in security-sensitive environments.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects versions of the fast-xml-parser package from 4.1.3 up to before 5.3.5. To detect if your system is vulnerable, you should check the version of fast-xml-parser installed in your environment.

You can detect the presence of the vulnerable package and its version by running commands such as:

• npm list fast-xml-parser
• yarn list fast-xml-parser

If the version is >=4.1.3 and <=5.3.4, your system is vulnerable.

Additionally, you can scan your codebase or dependencies for usage of fast-xml-parser and check if the default configuration (processEntities: true) is used, as this setting is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the fast-xml-parser package to version 5.3.5 or later, where the vulnerability has been fixed by properly escaping regex metacharacters in entity names.

If upgrading immediately is not possible, consider disabling entity processing or avoiding parsing untrusted XML inputs until the fix can be applied.

Ensure that your application does not use the vulnerable default configuration (processEntities: true) without proper validation or sanitization of XML input.

Review and apply patches or updates from the official fast-xml-parser repository that address this issue, as described in the security advisory and commits.

Useful 0 Not Useful 0