Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Published: 2026-02-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

fast‑xml-parser incorrectly treats a dot (.) in a DOCTYPE entity name as a wildcard during entity replacement, allowing an attacker to define custom entities that shadow the XML built‑in entities (<, >, &, &quot;, &apos;). When parsed XML is rendered, the attacker’s injected content can be executed as script, resulting in cross‑site scripting. This flaw is a classic example of improper handling of external entities, as identified by CWE‑185 and CWE‑79.

Affected Systems

The vulnerability affects instances of NaturalIntelligence fast‑xml-parser versions from 4.1.3 up through 5.3.4. All users of these releases should verify the installed version and ensure a non‑vulnerable release is in use.

Risk and Exploitability

With a CVSS score of 9.3, this issue is considered high‑severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that any party that can supply XML input that the application parses can trigger the flaw. This suggests the attacker could potentially exploit the vulnerability remotely if the parser is exposed to untrusted input.

Generated by OpenCVE AI on April 18, 2026 at 11:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fast‑xml-parser to version 5.3.5 or later, which removes the regex wildcard handling for entity names.
  • If upgrading immediately is not possible, restrict the parser to only handle trusted XML by rejecting any files that contain a DOCTYPE declaration.
  • Implement output encoding or a strong Content‑Security‑Policy to mitigate XSS when parsing untrusted XML cannot be avoided.

Generated by OpenCVE AI on April 18, 2026 at 11:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
History

Mon, 02 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Naturalintelligence
Naturalintelligence fast-xml-parser
Vendors & Products Naturalintelligence
Naturalintelligence fast-xml-parser

Sat, 21 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (&lt;, &gt;, &amp;, &quot;, &apos;) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Title fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
Weaknesses CWE-185
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N'}

Subscriptions

Naturalintelligence Fast-xml-parser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T19:11:31.673Z

Reserved: 2026-02-06T21:08:39.130Z

Link: CVE-2026-25896

cve-icon Vulnrichment

Updated: 2026-02-23T19:27:50.880Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T21:19:27.470

Modified: 2026-03-02T14:54:02.760

Link: CVE-2026-25896

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T20:57:48Z

Links: CVE-2026-25896 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses