fast-xml-builder CVE-2026-44665
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 7 npm packages depend on fast-xml-builder (5 direct, 2 indirect)
Ecosystem-wide dependent count for version 1.1.7.
DescriptionGitHub Advisory
Summary
When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.
Detail
Malicious Input
{
a: {
"@_attr": '" onClick="alert(1)'
}
}Output
<a attr="" onClick="alert(1)"></a>Workarounds
If you're not ignoring attributes then keep processEntities flag true.
AnalysisAI
Attribute injection in fast-xml-builder npm package allows attackers to inject malicious HTML/XML attributes when processEntities flag is disabled. Affected versions through 1.1.6 fail to properly sanitize quote characters in attribute values, enabling injection of arbitrary attributes like onClick handlers for cross-site scripting attacks. Patch available in version 1.1.7. EPSS and KEV data not available for this vulnerability, suggesting limited observed exploitation targeting this specific library, though the attack technique is well-understood.
Technical ContextAI
This vulnerability affects the fast-xml-builder npm package (pkg:npm/fast-xml-builder), a JavaScript library for programmatically constructing XML/HTML from object structures. The flaw is classified as CWE-611 (Improper Restriction of XML External Entity Reference), though functionally it manifests as an attribute injection weakness. When the processEntities configuration flag is set to false or not enabled, the library fails to escape or encode double-quote characters within attribute values. This allows quote characters to prematurely terminate the intended attribute and begin new attribute-value pairs in the serialized XML/HTML output. The library's parser treats the unescaped quotes as attribute delimiters rather than content, breaking the boundary between developer-controlled structure and attacker-controlled data.
RemediationAI
Primary remediation is upgrading to fast-xml-builder version 1.1.7 or later, which properly handles quote characters in attribute values regardless of processEntities setting. For environments unable to upgrade immediately, enable the processEntities flag to true in the library configuration, which activates entity encoding that prevents quote-based attribute injection. This workaround assumes attributes are not being ignored in the configuration. Organizations should audit their fast-xml-builder usage to identify instances where user-controlled data flows into attribute values, then prioritize upgrade or workaround deployment for those code paths. After remediation, validate that generated XML/HTML output correctly encodes quote characters in attributes and does not allow attribute boundary violations. Vendor advisory and fix details available at https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-5wm8-gmm8-39j9