CVE-2026-25896

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions 4.1.3 through 5.3.5

Description fast-xml-parser has a flaw in how it handles DOCTYPE entity names during XML parsing. Specifically, a dot (.) within an entity name is treated as a regex wildcard during entity replacement. This allows an attacker to shadow or override built-in XML entities such as (<, >, &, ", ') with arbitrary values, bypassing entity encoding. This can lead to Cross-Site Scripting (XSS) when the parsed output is rendered, or potentially to information disclosure or Server-Side Request Forgery (SSRF). The issue exists in both versions 5 and 6 of the library. The parser constructs regular expressions dynamically from untrusted DOCTYPE entity names. An entity name like 'l.' creates a regex that matches any character, effectively shadowing the '<' entity. The vulnerability affects applications parsing untrusted XML and using the output in injection-sensitive contexts. Approximately 40 million weekly npm downloads are affected.

Recommendations Update fast-xml-parser to version 5.3.5 or later.