Skip to main content

fast-xml-builder CVE-2026-44664

MEDIUM
XML Injection (aka Blind XPath Injection) (CWE-91)
2026-05-08 https://github.com/NaturalIntelligence/fast-xml-builder GHSA-45c6-75p6-83cc
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 17:01 vuln.today
Analysis Generated
May 08, 2026 - 17:01 vuln.today
CVE Published
May 08, 2026 - 16:27 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Summary

The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.

Impact

Any application with comment property enabled allow attacker to inject malicious or unwanted code like JS script tag in the XML/HTML output.

Workarounds

Check for the presence of 3 consecutive dashes externally in the property value used for comment tag.

AnalysisAI

Injection of arbitrary XML/HTML content in fast-xml-builder versions up to 1.1.5 allows unauthenticated remote attackers to break out of XML comments via three consecutive dashes (---), bypassing the regex-based sanitization fix for CVE-GHSA-gh4j-gqv2-49f6. Applications with the comment property enabled are at risk of XSS or malicious code injection in generated XML/HTML output when processing untrusted input. CVSS 6.1 with user interaction required; publicly available advisory but no confirmed POC.

Technical ContextAI

fast-xml-builder is an npm package that generates XML from JavaScript objects. The vulnerability stems from an incomplete regex replacement in the sanitization logic for XML comments. XML comments follow the syntax <!-- comment --> and historically have restrictions on the sequence -- within comment content to prevent ambiguity in parsing. The original CVE (GHSA-gh4j-gqv2-49f6) attempted to fix double-dash (--) sequences by replacing them with a space-separated variant (- -). However, the regex /--/g matches only consecutive pairs of dashes, not triplets. When an attacker provides input containing three consecutive dashes (---), the sanitization passes the first pair to the replacement function, leaving a -- sequence unmatched in the output. This allows escape from the XML comment context, injecting arbitrary XML tags or HTML content (including script tags). The root cause maps to CWE-91 (XML Injection), a subset of CWE-94 (Code Injection).

RemediationAI

Upgrade fast-xml-builder to version 1.1.6 or later, which implements a corrected sanitization mechanism. If immediate patching is not feasible, implement external validation in your application: before passing any value to the comment property, check for the presence of three or more consecutive dashes (---) and reject or sanitize such input. Alternatively, disable the comment property entirely if not essential to your use case, or pre-process all untrusted input through a strict validator that strips or escapes dashes in comment content. The workaround approach has trade-offs: external validation adds application-layer overhead and may reject legitimate user input containing dashes, requiring clear error messaging. Consult the vendor advisory at https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc for confirmation that version 1.1.6 fully resolves the issue.

Vendor StatusVendor

Share

CVE-2026-44664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy