logo

Database

XML injection (XXE) In fast-xml-builder

Description

fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

Summary

When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.

Detail

Malicious Input

{
      a: {
        "@_attr": '" onClick="alert(1)'
      }
}

Output

<a attr="" onClick="alert(1)"></a>

Workarounds

If you're not ignoring attributes then keep processEntities flag true.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-446652. NVD-2026-446653. OSV-2026-446654. GHSA-5wm8-gmm8-39j95. GCVE-2026-44665

References

1. https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-5wm8-gmm8-39j9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-IQA1U – Vulnerability | Fluid Attacks Database