DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25896: Regex Injection in fast-xml-parser: Shadowing the <

#security #cve #cybersecurity

Regex Injection in fast-xml-parser: Shadowing the <

Vulnerability ID: CVE-2026-25896
CVSS Score: 9.3
Published: 2026-02-20

A critical regex injection vulnerability exists in the fast-xml-parser library (versions 4.1.3 to <5.3.5). The parser constructs regular expressions dynamically from untrusted DOCTYPE entity names without proper escaping. This allows attackers to define malicious entities that 'shadow' built-in XML entities like &lt; or &amp;. By replacing these safe entities with arbitrary content, attackers can bypass entity encoding and achieve Cross-Site Scripting (XSS) in downstream applications relying on the parser's output.

TL;DR

User-supplied XML entity names are passed directly into new RegExp(). Attackers can define an entity named l. which creates a regex that matches &lt;, allowing them to overwrite the less-than symbol with malicious HTML tags (XSS).

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-185 (Incorrect Regular Expression)
  • CVSS Score: 9.3 (Critical)
  • Attack Vector: Network (AV:N)
  • Exploit Status: PoC Available
  • Impact: XSS / Integrity Compromise
  • Patch Quality: Partial / Brittle

Affected Systems

  • Node.js applications using fast-xml-parser
  • Frontend applications bundling fast-xml-parser
  • API gateways transforming XML to JSON
  • fast-xml-parser: >= 4.1.3, < 5.3.5 (Fixed in: 5.3.5)

Code Analysis

Commit: 943ef0e

Initial attempt to fix regex injection by replacing special characters

- entities[entityName] = {
-   regx : RegExp(`&${entityName};`, "g"),
+ const escaped = entityName.replace(/[.\-+*:]/g, '\\.');
+ entities[entityName] = {
+   regx : RegExp(`&${escaped};`, "g"),
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Disable DOCTYPE processing if not strictly required (processEntities: false).
  • Sanitize XML input before parsing to reject DTD declarations.
  • Implement Content Security Policy (CSP) to mitigate XSS even if injection occurs.

Remediation Steps:

  1. Update fast-xml-parser to version 5.3.5 or higher immediately.
  2. Verify package-lock.json or yarn.lock to ensure the nested dependency is updated.
  3. Review application logic: does your app really need to parse custom entities? If not, disable the feature.

References

Read the full report for CVE-2026-25896 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)