fast-xml-builder is vulnerable to XML Injection
61
Medium Risk
fast-xml-builder serializes JSON objects into XML. When a stop node attribute value contains a double quote, the raw stop-node attribute path writes it without escaping, so untrusted input can close the attribute and inject additional attributes or markup; separately, when a comment node is supplied as a multi-key object, the comment body is emitted without neutralizing double-hyphen sequences, so untrusted input can break out of the XML comment. Both cases let untrusted input inject arbitrary attributes or elements, which can lead to cross-site scripting when the generated output is rendered as HTML. The fix escapes quotes in stop-node attribute values and neutralizes double-hyphen sequences in multi-key comment objects.
You are affected if you are using a version that falls within the vulnerable range and your application builds XML from untrusted input using stop-node attributes or comment nodes.
fast-xml-builder is vulnerable to XML Injection in versions 1.0.0 - 1.2.0.
Upgrade the fast-xml-builder library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant