CVE-2026-25896 Overview
CVE-2026-25896 is a critical Cross-Site Scripting (XSS) vulnerability in fast-xml-parser, a popular JavaScript library that allows users to validate XML, parse XML to JavaScript objects, or build XML from JavaScript objects without C/C++ based libraries. The vulnerability stems from improper handling of special characters in DOCTYPE entity names, where a dot (.) is incorrectly treated as a regex wildcard during entity replacement. This flaw enables attackers to shadow built-in XML entities (<, >, &, ", ') with arbitrary values, bypassing entity encoding and leading to XSS when parsed output is rendered in a browser context.
Critical Impact
Attackers can inject arbitrary malicious content by exploiting regex character interpretation in entity names, enabling XSS attacks that could lead to session hijacking, credential theft, or malicious script execution in victim browsers.
Affected Products
- fast-xml-parser versions 4.1.3 to 5.3.4
- Applications using vulnerable fast-xml-parser versions for XML parsing
- Web applications rendering XML-parsed content in browser contexts
Discovery Timeline
- February 20, 2026 - CVE-2026-25896 published to NVD
- February 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-25896
Vulnerability Analysis
The vulnerability exists in the entity replacement mechanism within fast-xml-parser. When processing external entities defined in DOCTYPE declarations, the library constructs regular expressions using entity names directly without proper escaping. This means special regex characters like . (dot), - (hyphen), + (plus), * (asterisk), and : (colon) are interpreted as regex metacharacters rather than literal characters.
The most significant impact comes from the dot character (.), which in regex syntax matches any single character. An attacker can define a malicious entity with a name like l. which would match built-in entities such as < and >. By replacing these fundamental XML encoding entities with arbitrary values (such as <script> tags), the attacker effectively bypasses the XML entity encoding that normally prevents XSS.
This vulnerability is classified under CWE-185 (Incorrect Regular Expression), highlighting the core issue of improper regex pattern construction from untrusted input.
Root Cause
The root cause lies in the direct use of entity names when constructing RegExp objects without escaping regex metacharacters. In the vulnerable code, entity names from XML DOCTYPE declarations are concatenated directly into regex patterns like new RegExp("&"+entityName+";","g"). When an entity name contains regex special characters, these characters retain their special meaning, causing the regex to match unintended strings.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker can craft malicious XML input containing a DOCTYPE declaration with specially named entities. When this XML is parsed by a vulnerable fast-xml-parser instance and the output is rendered in a web context, the injected content executes.
The attack flow involves:
- Crafting XML with a DOCTYPE containing an entity name with regex metacharacters (e.g., l.)
- Defining this entity's value as malicious content (e.g., <script>alert('XSS')</script>)
- Submitting the crafted XML to an application using vulnerable fast-xml-parser
- The malicious entity shadows built-in entities, injecting arbitrary content
- When the parsed output is rendered, the XSS payload executes
// Security patch in src/xmlparser/OrderedObjParser.js - fix: Escape regex char in entity name
// Source: https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e
const entKeys = Object.keys(externalEntities);
for (let i = 0; i < entKeys.length; i++) {
const ent = entKeys[i];
+ const escaped = ent.replace(/[.\-+*:]/g, '\\.');
this.lastEntities[ent] = {
- regex: new RegExp("&"+ent+";","g"),
+ regex: new RegExp("&"+escaped+";","g"),
val : externalEntities[ent]
}
}
The fix properly escapes regex metacharacters in entity names before constructing the regular expression pattern.
Detection Methods for CVE-2026-25896
Indicators of Compromise
- XML input containing DOCTYPE declarations with entity names containing special characters (., -, +, *, :)
- Entity names that partially match built-in XML entities (e.g., l., am., quo.)
- Unexpected script tags or HTML content appearing in XML-parsed output
- Browser console errors or unexpected JavaScript execution after XML parsing
Detection Strategies
- Implement input validation to detect DOCTYPE declarations with suspicious entity names
- Monitor application logs for XML parsing errors or unexpected entity replacement behavior
- Deploy Web Application Firewall (WAF) rules to detect malicious DOCTYPE entity patterns
- Use Content Security Policy (CSP) headers to mitigate XSS impact if exploitation occurs
Monitoring Recommendations
- Enable verbose logging for XML parsing operations to capture entity definitions
- Monitor for anomalous patterns in XML input containing regex metacharacters in entity names
- Implement real-time alerting for potential XSS attempts in XML-processing endpoints
- Review application dependencies regularly using Software Composition Analysis (SCA) tools
How to Mitigate CVE-2026-25896
Immediate Actions Required
- Update fast-xml-parser to version 5.3.5 or later immediately
- Audit all applications using fast-xml-parser to identify affected deployments
- Implement input sanitization as a defense-in-depth measure while patching
- Review application logs for evidence of exploitation attempts
Patch Information
The vulnerability is fixed in fast-xml-parser version 5.3.5. The fix escapes regex metacharacters (., -, +, *, :) in entity names before constructing regular expressions, ensuring these characters are treated literally rather than as regex patterns.
Relevant patches:
For detailed security information, see the GitHub Security Advisory GHSA-m7jm-9gc2-mpf2.
Workarounds
- Disable DOCTYPE processing if not required by setting parser options to reject DOCTYPE declarations
- Implement strict input validation to reject XML containing entity names with regex metacharacters
- Apply Content Security Policy (CSP) headers to limit XSS impact as a defense-in-depth measure
- Consider using an alternative XML parser until upgrade is possible
# Update fast-xml-parser to patched version
npm update fast-xml-parser@5.3.5
# Or install specific version
npm install fast-xml-parser@5.3.5
# Verify installed version
npm list fast-xml-parser
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
