A critical vulnerability (CVE-2026-25896, CVSS 9.3) has been disclosed in fast-xml-parser, a JavaScript/Node.js XML parsing library with over 40 million weekly downloads on npm. Any application that parses untrusted XML using fast-xml-parser and renders the output in HTML, SQL, or other injection-sensitive contexts is at risk of XSS and injection attacks — with no special parser configuration required. Because fast-xml-parser is a transitive dependency of many popular packages, your project may be affected even if you don't depend on it directly.

The vulnerability allows an attacker to shadow the five built-in XML entities (<, >, &, ", ') with arbitrary values by exploiting the dot (.)character in a DOCTYPE entity name as a regex wildcard. This is an incomplete fix bypass: the original regex injection issue was patched in CVE-2023-34104, but that fix missed the period character,  which is both a valid XML name character and a regex metacharacter, making it easy to overlook and exploit.

Versions >= 4.1.3 and < 5.3.5 are affected, including both the v5 and v6 (experimental) codebases.

Affected versions

What happened

The vulnerability was published to the GitHub Security Advisory database (GHSA-m7jm-9gc2-mpf2) on February 20, 2026. The maintainers released the fix on February 8, 2026 in version 5.3.5 across two commits: ddcd0ac for the v6 EntitiesParser and v5 DocTypeReader, and 943ef0e for the v5 OrderedObjParser. A subsequent commit (910dae5), included in a later release, added defense-in-depth entity expansion limits.

The root cause traces back to CVE-2023-34104, which was fixed in v4.2.4 by introducing entity name validation. That fix addressed regex metacharacters like $, ?, *, and + but did not account for the period (.), the one regex metacharacter that is also a valid XML NameChar per the W3C spec. This gap persisted for nearly three years until it was reported.

Technical analysis

fast-xml-parser processes DOCTYPE entity declarations by constructing JavaScript RegExp objects from entity names. When the parser encounters a declaration like <!ENTITY l. "payload">, it creates:

entities["l."] = { regx: RegExp("&l.;", "g"), val: "payload" };

The period in l. becomes a regex wildcard that matches any character. The resulting regex /&l.;/g matches <, >, and any other four-character entity reference starting with &l.

This matters because of the entity replacement order inside replaceEntitiesValue(). DOCTYPE entities are replaced first, before built-in entities like < and &. If a DOCTYPE entity's regex matches a built-in entity reference, the built-in is shadowed entirely and never decoded to its safe value.

By defining five DOCTYPE entities, an attacker can shadow every built-in:

Proof-of-concept (POC)

The following proof-of-concept demonstrates the full attack. No special parser options are needed, as processEntities: true is the default:

const { XMLParser } = require("fast-xml-parser");

const xml = `<?xml version="1.0"?>

<!DOCTYPE foo [ <!ENTITY l. "<img src=x onerror=alert(1)>">

]> <root> <text>Hello <b>World</b></text> </root>`;

const result = new XMLParser().parse(xml); console.log(result.root.text); // Output: Hello <img src=x onerror=alert(1)>b>World<img src=x onerror=alert(1)>/b>

When an application renders this parsed output in a web page (via innerHTML, template interpolation, or server-side rendering), the injected <img onerror> tag executes JavaScript. The same technique can be used to inject SQL or shell metacharacters by shadowing &.

Mitigation

Detection

Check whether your project depends on an affected version:

npm ls fast-xml-parser

Or search for direct usage in your codebase:

grep -rE "require(['"]fast-xml-parser['"])|from ['"]fast-xml-parser['"]" --include=".js" --include=".ts" ./src

If you find a vulnerable version, evaluate whether the parser processes untrusted XML input with the default processEntities: true setting. If the parsed output is subsequently used in HTML rendering, database queries, or other injection-sensitive contexts, the application is exploitable.

Short-term / emergency steps

Upgrade to v5.3.5 or later. This is the primary remediation:

npm install fast-xml-parser@5.3.5

Version 5.3.5 escapes the dot (.) character in entity names before constructing the regex, preventing the wildcard behavior.

If you cannot upgrade immediately, disable entity processing as a temporary workaround:

const parser = new XMLParser({ processEntities: false });

Note that this disables all entity decoding, including legitimate built-in entities like < and &, which may break applications that rely on them.

Medium and long-term strategy

• Configure entity expansion limits: Later releases of fast-xml-parser support granular entity processing controls including maxEntitySize, maxTotalExpansions, maxExpandedLength, and allowedTags. For applications that process untrusted XML, we recommend configuring these limits explicitly.
• Review XML processing patterns: Any code path where untrusted XML flows through fast-xml-parser and the output is rendered in HTML, interpolated into SQL, or passed to a command shell should be audited. Even with the patch applied, defense-in-depth practices like output encoding and parameterized queries remain essential.
• Pin dependency versions: Use lockfiles (package-lock.json, yarn.lock) and periodically audit transitive dependencies. fast-xml-parser is a dependency of major packages, which means many projects include it transitively without realizing it.

References

• GHSA-m7jm-9gc2-mpf2 Advisory: https://github.com/advisories/GHSA-m7jm-9gc2-mpf2 
• OSV: GHSA-m7jm-9gc2-mpf2: https://osv.dev/vulnerability/GHSA-m7jm-9gc2-mpf2 
• Patch commit 943ef0e (v5): https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e 
• Patch commit ddcd0ac (v6): https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69 
• Release v5.3.5: https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5 
• CVE-2023-34104 (predecessor): https://github.com/advisories/GHSA-6w63-h3fj-q4vw