fast-xml-builder CVE-2026-44664
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.
Impact
Any application with comment property enabled allow attacker to inject malicious or unwanted code like JS script tag in the XML/HTML output.
Workarounds
Check for the presence of 3 consecutive dashes externally in the property value used for comment tag.
AnalysisAI
Injection of arbitrary XML/HTML content in fast-xml-builder versions up to 1.1.5 allows unauthenticated remote attackers to break out of XML comments via three consecutive dashes (---), bypassing the regex-based sanitization fix for CVE-GHSA-gh4j-gqv2-49f6. Applications with the comment property enabled are at risk of XSS or malicious code injection in generated XML/HTML output when processing untrusted input. CVSS 6.1 with user interaction required; publicly available advisory but no confirmed POC.
Technical ContextAI
fast-xml-builder is an npm package that generates XML from JavaScript objects. The vulnerability stems from an incomplete regex replacement in the sanitization logic for XML comments. XML comments follow the syntax <!-- comment --> and historically have restrictions on the sequence -- within comment content to prevent ambiguity in parsing. The original CVE (GHSA-gh4j-gqv2-49f6) attempted to fix double-dash (--) sequences by replacing them with a space-separated variant (- -). However, the regex /--/g matches only consecutive pairs of dashes, not triplets. When an attacker provides input containing three consecutive dashes (---), the sanitization passes the first pair to the replacement function, leaving a -- sequence unmatched in the output. This allows escape from the XML comment context, injecting arbitrary XML tags or HTML content (including script tags). The root cause maps to CWE-91 (XML Injection), a subset of CWE-94 (Code Injection).
RemediationAI
Upgrade fast-xml-builder to version 1.1.6 or later, which implements a corrected sanitization mechanism. If immediate patching is not feasible, implement external validation in your application: before passing any value to the comment property, check for the presence of three or more consecutive dashes (---) and reject or sanitize such input. Alternatively, disable the comment property entirely if not essential to your use case, or pre-process all untrusted input through a strict validator that strips or escapes dashes in comment content. The workaround approach has trade-offs: external validation adds application-layer overhead and may reject legitimate user input containing dashes, requiring clear error messaging. Consult the vendor advisory at https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc for confirmation that version 1.1.6 fully resolves the issue.
Same weakness CWE-91 – XML Injection (aka Blind XPath Injection)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-45c6-75p6-83cc