CVE-2026-25896

Summary

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.

Affected Software

VendorProductVersion RangeStatus
NaturalIntelligencefast-xml-parser>= 5.0.0, < 5.3.5affected
NaturalIntelligencefast-xml-parser>= 4.1.3, < 4.5.4affected

Weaknesses

  • CWE-185: CWE-185: Incorrect Regular Expression

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling

Additional References

References