Advisories for Npm/Fast-Xml-Builder package

2026

fast-xml-builder Comment Value regex can be bypassed

The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes – sequences in XML comment content using .replace(/–/g, '- -'). This skip the values containing three consecutive dashes (e.g., —>…), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content.

fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes

When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.