CVE-2026-44665 Overview
CVE-2026-44665 is an XML attribute injection vulnerability in fast-xml-builder, a JavaScript library that constructs XML from JSON input. Versions prior to 1.1.7 mishandle quote characters in attribute values when the process entities option is disabled. The library breaks a single attribute value into multiple attributes, allowing an attacker to inject arbitrary XML or HTML attributes into the output document. The flaw is tracked under CWE-91: XML Injection.
Critical Impact
Attackers can inject unintended XML or HTML attributes into generated documents, enabling downstream cross-site scripting or content manipulation when the output is rendered in a browser.
Affected Products
- fast-xml-builder versions prior to 1.1.7
- Applications using fast-xml-builder with process entities disabled
- Downstream consumers rendering generated XML or HTML output
Discovery Timeline
- 2026-05-13 - CVE-2026-44665 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44665
Vulnerability Analysis
The fast-xml-builder library converts JSON objects into XML documents. When the process entities option is disabled, the builder skips escaping of quote characters embedded in attribute values. The attribute serializer treats an embedded quote as the closing delimiter of the current attribute, then interprets the remaining characters as additional attributes. An attacker who controls part of an attribute value can terminate the attribute early and append arbitrary attributes to the element.
The attack surface depends on whether application-controlled data reaches attribute values without prior sanitization. If the generated XML is consumed as HTML, injected attributes such as event handlers can introduce client-side script execution. User interaction is required to render the malicious output, and the scope changes because the injected content executes in a different security context than the producer.
Root Cause
The root cause is missing output encoding of the double-quote character in attribute serialization when entity processing is disabled. The serializer concatenates the raw attribute value between delimiter quotes without verifying that the value itself contains no delimiter. This violates the contract that attribute values must escape " as " per the XML specification.
Attack Vector
Exploitation requires an attacker to supply input that feeds into a JSON property serialized as an XML attribute. The payload contains a " character followed by attacker-chosen attribute names and values. When the builder emits the element, the resulting markup carries the injected attributes. Refer to the GitHub Security Advisory GHSA-5wm8-gmm8-39j9 for the technical reproduction details.
Detection Methods for CVE-2026-44665
Indicators of Compromise
- Generated XML or HTML output containing unexpected attributes such as onerror, onload, or onclick on elements built from user-controlled JSON
- Application logs showing JSON input fields containing literal " characters destined for attribute serialization
- Anomalous client-side script execution originating from server-rendered XML or HTML responses
Detection Strategies
- Audit application dependencies for fast-xml-builder versions below 1.1.7 using npm ls fast-xml-builder or equivalent software composition analysis tooling
- Inspect builder configuration for instances where processEntities is set to false and attribute values originate from untrusted sources
- Add output validation that compares the count of attributes in generated elements against the count of attributes provided in the source JSON
Monitoring Recommendations
- Monitor web application firewall logs for double-quote characters appearing in JSON request bodies targeting endpoints that emit XML or HTML
- Track Content Security Policy violation reports that indicate unexpected inline event handlers in rendered pages
- Alert on dependency manifest changes that reintroduce vulnerable fast-xml-builder versions during build pipelines
How to Mitigate CVE-2026-44665
Immediate Actions Required
- Upgrade fast-xml-builder to version 1.1.7 or later across all production and development environments
- Identify every code path that passes untrusted data into the builder and confirm the fix is deployed before resuming traffic
- Re-run software composition analysis after the upgrade to verify no transitive dependency pins an older version
Patch Information
The maintainers released fast-xml-builder version 1.1.7, which properly escapes quote characters in attribute values regardless of the processEntities setting. Patch details are published in the GitHub Security Advisory GHSA-5wm8-gmm8-39j9.
Workarounds
- Enable the processEntities option in the builder configuration so that quote characters are encoded during attribute serialization
- Sanitize JSON input to strip or encode " characters in fields that will be serialized as XML attributes
- Apply downstream HTML sanitization on generated output before delivering it to browsers
# Configuration example
npm install fast-xml-builder@^1.1.7
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
