External risk intelligence

fast-xml-parser DOCTYPE entity name wildcard bypass allows XSS.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-25896

The vulnerability exists in a software library used for XML parsing. While libraries are integrated into many applications, including those that may process internet-facing data, the library itself is not a standalone network service or appliance. Its exposure depends entirely on how an individual application utilizes it to handle untrusted input.

Cross-site Scripting

Naturalintelligence Fast Xml Parser

4.1.3 to before 5.3.5

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the fast-xml-parser library could allow an attacker to inject malicious code by manipulating XML entity names. If the parsed output is displayed without proper sanitization, this could lead to cross-site scripting attacks, potentially impacting systems that process untrusted XML data. The main concern is confirming relevance and exposure.

  • XML parsing library has a critical flaw.
  • Attackers could inject malicious code via XML.
  • Confirm if your systems use this library.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by crafting a malicious XML document. When this document is processed by the vulnerable XML parser, a special character in an entity name tricks the parser into replacing built-in XML characters. This can lead to the injection of arbitrary values, potentially resulting in cross-site scripting if the parsed output is displayed to users.

  • No authentication or user interaction required.
  • Malicious XML document triggers entity replacement.
  • Cross-site scripting via parsed output.

Live Threat

Current exploitation, exposure, and threat context

When an affected version of fast-xml-parser processes specially crafted XML, a vulnerability could allow an attacker to inject malicious scripts. This occurs when the parser's handling of DOCTYPE entity names is bypassed, leading to cross-site scripting (XSS) if the parsed output is rendered without proper sanitization.

  • XML data processed by the parser.
  • Malicious entities injected into XML.
  • Script execution in user's browser.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this vulnerability in the `fast-xml-parser` library, as it impacts how XML data is processed. The first practical step is to identify all instances where this library is used, determine if the affected versions are exposed to external input, and confirm their business criticality. Once ownership is established, a risk-based remediation plan can be developed.

  • Identify all affected applications and their owners.
  • Verify if the library is processing untrusted input.
  • Plan and execute a phased update or mitigation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the fast-xml-parser library used for?

The fast-xml-parser is a software component designed for developers to handle XML data within JavaScript environments. It allows applications to transform XML documents into JavaScript objects or build XML from those objects. Because it operates without relying on underlying C or C++ libraries, it is often chosen for its portability and performance in web-based projects and server-side applications.

How does CVE-2026-25896 cause security issues?

This vulnerability involves Improper Neutralization of Input during Web Page Generation, known as Cross-Site Scripting (CWE-79). The parser incorrectly handles dots in DOCTYPE entity names, treating them as wildcards. This flaw allows an attacker to redefine essential XML entities—like those used to represent symbols such as less-than or greater-than signs—with arbitrary text. When an application renders this manipulated output, it can inadvertently execute malicious scripts in a user's browser.

What triggers the vulnerability in fast-xml-parser?

The flaw is triggered when the library processes a maliciously crafted XML document containing a specific DOCTYPE entity name pattern. This process does not require the attacker to have authentication or rely on user interaction. Importantly, this issue occurs during the entity replacement phase; if an XML document does not use or define DOCTYPE entities in this specific way, the parser's logic for these built-in characters remains unaffected.

How relevant is this to my environment?

According to Halo Surface Signal, relevance depends on how your specific applications utilize this library to handle untrusted input. Because it is a library rather than a standalone network service, it only becomes a risk if it processes data from external or untrusted sources. You should prioritize applications that ingest raw XML from the internet or unverified users, as these are the most likely paths for an attacker to supply the malicious XML needed to trigger the flaw.

What are the first steps to address this CVE?

Start by identifying all applications in your software portfolio that depend on versions 4.1.3 through 5.3.4 of the fast-xml-parser. Once mapped, confirm which of these applications process XML data provided by external users or systems. For all identified instances, the primary solution is to update the library to version 5.3.5 or later, which contains the fix for how DOCTYPE entities are processed.

References