CVE-2026-44664 Overview
CVE-2026-44664 is an XML injection vulnerability [CWE-91] in the fast-xml-builder library, which constructs XML documents from JSON input. Version 1.1.5 introduced an incomplete fix for CVE-2026-41650 that sanitized -- sequences within XML comment content using .replace(/--/g, '- -'). The sanitizer fails to handle three or more consecutive dashes such as --->, allowing attackers to break out of an XML comment context and inject arbitrary XML or HTML content. The maintainers fixed the issue in version 1.1.6.
Critical Impact
Attackers who control JSON input passed into fast-xml-builder 1.1.5 can escape XML comment boundaries and inject XML or HTML content into the generated document.
Affected Products
- fast-xml-builder version 1.1.5
- Applications using fast-xml-builder to convert untrusted JSON into XML
- Downstream services consuming XML output produced by vulnerable builder versions
Discovery Timeline
- 2026-05-13 - CVE-2026-44664 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44664
Vulnerability Analysis
The fast-xml-builder package serializes JSON structures into XML documents. After CVE-2026-41650 was disclosed, the maintainers added a sanitizer that prevents user-controlled values from terminating XML comments. The mitigation replaces every occurrence of -- inside comment content with - -, ensuring that the --> terminator cannot be produced from a single double-dash sequence.
The regular expression /--/g performs non-overlapping left-to-right matching. When three dashes appear consecutively, only the first two are rewritten, leaving the trailing dash intact. A payload such as ---> becomes - -> after one replacement attempt, yet certain input arrangements still allow the original --> sequence to survive sanitization, breaking out of the comment.
An attacker who controls a JSON value that the host application embeds inside an XML comment can terminate the comment early and append attacker-controlled XML or HTML markup. Where the downstream consumer renders the output in a browser, the injected content can include script-bearing markup, supporting client-side attacks.
Root Cause
The root cause is incomplete input neutralization [CWE-91]. The sanitizer treats -- as the only dangerous token and does not account for runs of three or more dashes or for overlapping matches that reconstruct the comment terminator --> after a single pass of String.prototype.replace.
Attack Vector
The attack vector is network-based and requires user interaction, consistent with a stored or reflected injection that triggers when a victim renders the generated XML or HTML. The attacker supplies a crafted JSON value containing sequences such as ---> to any application that passes user input through fast-xml-builder 1.1.5 into a comment node, then waits for the document to be parsed or rendered.
No verified public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory GHSA-45c6-75p6-83cc for technical details from the maintainers.
Detection Methods for CVE-2026-44664
Indicators of Compromise
- XML or HTML output containing unexpected closing comment sequences such as --> followed by attacker markup adjacent to fields populated from JSON input.
- Generated documents where <!-- ... --> regions contain three or more consecutive dashes or HTML tags that should not appear in a comment.
- Application logs showing JSON payloads with --->, ---->, or longer dash runs in fields that are serialized into XML comments.
Detection Strategies
- Inventory all Node.js services that depend on fast-xml-builder and identify those pinned to version 1.1.5 using npm ls fast-xml-builder or lockfile inspection.
- Add static checks in code review that flag any pattern where untrusted input is embedded inside an XML comment node produced by the builder.
- Compare generated XML against expected schemas in integration tests to catch markup that escapes its intended element or comment context.
Monitoring Recommendations
- Log and alert on inbound JSON requests containing runs of three or more dash characters in string values destined for XML generation.
- Monitor outbound XML or HTML responses for unbalanced comment delimiters or unexpected tags adjacent to dynamic fields.
- Track dependency manifests in CI pipelines and fail builds that resolve fast-xml-builder to vulnerable 1.1.5.
How to Mitigate CVE-2026-44664
Immediate Actions Required
- Upgrade fast-xml-builder to version 1.1.6 or later across all applications and rebuild affected services.
- Audit code paths that place user-controlled values inside XML comments and treat comment content as untrusted output context.
- Re-validate any cached or persisted XML produced by 1.1.5 before sending it to downstream consumers or browsers.
Patch Information
The vulnerability is fixed in fast-xml-builder 1.1.6. Refer to the GitHub Security Advisory GHSA-45c6-75p6-83cc for the maintainer's release notes and patch references.
Workarounds
- Strip or reject dash runs of length two or greater from any JSON value that will be serialized into an XML comment before invoking the builder.
- Avoid placing user-controlled input inside XML comments entirely; serialize untrusted data into element text or attributes where standard XML escaping applies.
- Apply output encoding at the rendering layer so that any markup surviving sanitization is displayed as text rather than parsed as HTML.
# Upgrade fast-xml-builder to the fixed release
npm install fast-xml-builder@^1.1.6
npm ls fast-xml-builder
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
