fast-xml-parser DOCTYPE Injection RCE (CVE-2026-25896)

Patch now - CVE-2026-25896 is a critical XSS vulnerability in fast-xml-parser versions 4.1.3 up to 5.3.4 that lets attackers hijack sessions and steal user data by crafting malicious DOCTYPE entities that bypass encoding. Update to version 5.3.5 or later immediately.

Overview

A critical vulnerability has been identified in the popular fast-xml-parser library, used for processing XML data in JavaScript and Node.js applications. This flaw allows an attacker to bypass standard security controls, potentially leading to cross-site scripting (XSS) attacks.

Vulnerability Details

The library is used to validate, parse, and build XML. In affected versions (from 4.1.3 to before 5.3.5), a weakness exists in how the parser handles special instructions within an XML document called DOCTYPE entities. Specifically, a period (.) in an entity name is incorrectly treated as a wildcard.

This allows an attacker to craft a malicious XML document where they can redefine fundamental, built-in XML entities - such as those representing the characters for less-than (<) or ampersand (&). By shadowing these core entities with arbitrary values, the attacker can bypass the normal encoding process that makes these characters safe for web browsers.

Impact

When a vulnerable application parses a malicious XML file and then renders the output directly into a webpage without proper sanitization, the attacker’s injected code can execute in a victim’s browser. This is a classic XSS attack, which can lead to:

• Session hijacking (stealing user login credentials).
• Defacement of websites.
• Theft of sensitive user data.
• Redirection of users to malicious sites.

Given the widespread use of this library and the high severity of XSS, this vulnerability is rated as CRITICAL with a CVSS score of 9.3.

Remediation and Mitigation

The primary and most effective action is to immediately update the fast-xml-parser dependency.

1. Immediate Update: Upgrade fast-xml-parser to version 5.3.5 or later. This version contains the fix.

npm update fast-xml-parser

or

yarn upgrade fast-xml-parser

2. Version Check: Verify your application is using an affected version (4.1.3 up to, but not including, 5.3.5). You can check your package.json file or run:

npm list fast-xml-parser

3. Defense-in-Depth: As a general security practice, always sanitize and validate any user-controlled data before rendering it in a browser, even after parsing. Treat all parsed XML content as potentially untrusted.

4. Temporary Mitigation: If an immediate update is not possible, consider disabling external entity parsing or DOCTYPE processing in the parser configuration where feasible, though this may affect functionality. The permanent solution is to apply the update.