logo

Database

XML injection (XXE) In fast-xml-builder

Description

fast-xml-builder Comment Value regex can be bypassed

Summary

The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.

Impact

Any application with comment property enabled allow attacker to inject malicious or unwanted code like JS script tag in the XML/HTML output.

Workarounds

Check for the presence of 3 consecutive dashes externally in the property value used for comment tag.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-446642. NVD-2026-446643. OSV-2026-446644. GHSA-45c6-75p6-83cc5. GHSA-gh4j-gqv2-49f66. GCVE-2026-44664

References

1. https://github.com/NaturalIntelligence/fast-xml-builder/security/advisories/GHSA-45c6-75p6-83cc2. https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-gh4j-gqv2-49f6

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.