Skip to main content

fast-xml-builder CVE-2026-44665

MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-05-08 https://github.com/NaturalIntelligence/fast-xml-builder GHSA-5wm8-gmm8-39j9
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
CVSS changed
May 13, 2026 - 16:22 NVD
6.1 (MEDIUM)
Source Code Evidence Fetched
May 08, 2026 - 17:01 vuln.today
Analysis Generated
May 08, 2026 - 17:01 vuln.today
CVE Published
May 08, 2026 - 16:29 nvd
HIGH

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 npm packages depend on fast-xml-builder (5 direct, 2 indirect)

Ecosystem-wide dependent count for version 1.1.7.

DescriptionGitHub Advisory

Summary

When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

Detail

Malicious Input

{
      a: {
        "@_attr": '" onClick="alert(1)'
      }
}

Output

xml
<a attr="" onClick="alert(1)"></a>

Workarounds

If you're not ignoring attributes then keep processEntities flag true.

AnalysisAI

Attribute injection in fast-xml-builder npm package allows attackers to inject malicious HTML/XML attributes when processEntities flag is disabled. Affected versions through 1.1.6 fail to properly sanitize quote characters in attribute values, enabling injection of arbitrary attributes like onClick handlers for cross-site scripting attacks. Patch available in version 1.1.7. EPSS and KEV data not available for this vulnerability, suggesting limited observed exploitation targeting this specific library, though the attack technique is well-understood.

Technical ContextAI

This vulnerability affects the fast-xml-builder npm package (pkg:npm/fast-xml-builder), a JavaScript library for programmatically constructing XML/HTML from object structures. The flaw is classified as CWE-611 (Improper Restriction of XML External Entity Reference), though functionally it manifests as an attribute injection weakness. When the processEntities configuration flag is set to false or not enabled, the library fails to escape or encode double-quote characters within attribute values. This allows quote characters to prematurely terminate the intended attribute and begin new attribute-value pairs in the serialized XML/HTML output. The library's parser treats the unescaped quotes as attribute delimiters rather than content, breaking the boundary between developer-controlled structure and attacker-controlled data.

RemediationAI

Primary remediation is upgrading to fast-xml-builder version 1.1.7 or later, which properly handles quote characters in attribute values regardless of processEntities setting. For environments unable to upgrade immediately, enable the processEntities flag to true in the library configuration, which activates entity encoding that prevents quote-based attribute injection. This workaround assumes attributes are not being ignored in the configuration. Organizations should audit their fast-xml-builder usage to identify instances where user-controlled data flows into attribute values, then prioritize upgrade or workaround deployment for those code paths. After remediation, validate that generated XML/HTML output correctly encodes quote characters in attributes and does not allow attribute boundary violations. Vendor advisory and fix details available at https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9.

Vendor StatusVendor

Share

CVE-2026-44665 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy