Intel

AIKIDO-2026-476466

fast-xml-builder is vulnerable to XML Injection

XML Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

61

Medium Risk

This Affects:

JSfast-xml-builder
1.0.0 - 1.2.0
Fixed in 1.2.1
Are you affected? Scan for Free

TL;DR

fast-xml-builder serializes JSON objects into XML. When a stop node attribute value contains a double quote, the raw stop-node attribute path writes it without escaping, so untrusted input can close the attribute and inject additional attributes or markup; separately, when a comment node is supplied as a multi-key object, the comment body is emitted without neutralizing double-hyphen sequences, so untrusted input can break out of the XML comment. Both cases let untrusted input inject arbitrary attributes or elements, which can lead to cross-site scripting when the generated output is rendered as HTML. The fix escapes quotes in stop-node attribute values and neutralizes double-hyphen sequences in multi-key comment objects.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application builds XML from untrusted input using stop-node attributes or comment nodes.

Background info

fast-xml-builder is vulnerable to XML Injection in versions 1.0.0 - 1.2.0.

How to fix this

Upgrade the fast-xml-builder library to the patch version.