Skip to content

Comments

fix(security): update fast-xml-parser to 5.3.5+ for CVE-2026-25896#1534

Open
abhu85 wants to merge 1 commit intoaws:mainfrom
abhu85:fix/cve-2026-25896-fast-xml-parser
Open

fix(security): update fast-xml-parser to 5.3.5+ for CVE-2026-25896#1534
abhu85 wants to merge 1 commit intoaws:mainfrom
abhu85:fix/cve-2026-25896-fast-xml-parser

Conversation

@abhu85
Copy link
Contributor

@abhu85 abhu85 commented Feb 23, 2026

Summary

Update the pnpm override for fast-xml-parser from >=5.3.4 to >=5.3.5 to address CVE-2026-25896 (GHSA-m7jm-9gc2-mpf2).

Problem

The fast-xml-parser library versions >= 4.1.3 and < 5.3.5 are affected by a critical vulnerability that allows entity encoding bypass via regex injection in DOCTYPE entity names. An attacker can shadow built-in XML entities (e.g., &lt;, &gt;) with arbitrary values, potentially leading to XSS when parsed output is rendered.

The previous override targeted >=5.3.4, but the CVE was fixed in version 5.3.5.

Fix

  • Updated pnpm override: fast-xml-parser@<5.3.5 -> >=5.3.5
  • Regenerated lock file: now resolves to version 5.3.7

Changes

  • package.json: Updated override constraint
  • pnpm-lock.yaml: Updated to fast-xml-parser 5.3.7

Test Plan

  • Verified new version (5.3.7) is above patched version (5.3.5)
  • Lock file regenerated cleanly with pnpm install
  • CI tests pass

Closes #1532

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@kmcginnes
Copy link
Collaborator

kmcginnes commented Feb 23, 2026

@abhu85 thank you for the submission. I had a PR that was just merged that should fix this. If it is not fixed by my PR, then I'll look in to merging this one.

@abhu85
Copy link
Contributor Author

abhu85 commented Feb 24, 2026

@kmcginnes Thank you for the quick response! I checked your merged PR #1531 and the current package.json - the fast-xml-parser override is still at >=5.3.4, but CVE-2026-25896 was fixed in version 5.3.5.

The current override:

"fast-xml-parser@<5.3.4": ">=5.3.4"

Should be:

"fast-xml-parser@<5.3.5": ">=5.3.5"

My PR updates this override to ensure versions below 5.3.5 are upgraded. If you'd prefer to handle this yourself or a different way, happy to close this PR.

Let me know how you'd like to proceed!

@153153153 @claude @abhu85
fix(security): update fast-xml-parser to 5.3.5+ for CVE-2026-25896
cdc51a4 
Update the pnpm override for fast-xml-parser from >=5.3.4 to >=5.3.5
to address CVE-2026-25896 (GHSA-m7jm-9gc2-mpf2).

The vulnerability allows entity encoding bypass via regex injection
in DOCTYPE entity names. An attacker can shadow built-in XML entities
(e.g., &lt; &gt;) with arbitrary values, potentially leading to XSS
when parsed output is rendered.

Affected versions: >= 4.1.3 and < 5.3.5
Fixed in: 5.3.5+
Current lock file version: 5.3.7

Closes aws#1532

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@abhu85 abhu85 force-pushed the fix/cve-2026-25896-fast-xml-parser branch from 337d510 to cdc51a4 Compare February 24, 2026 10:19
@abhu85
Copy link
Contributor Author

abhu85 commented Feb 24, 2026

Rebased onto main to resolve the merge conflict with #1537.

Changes in this rebase:

The lockfile now inherits from upstream - pnpm will apply the updated fast-xml-parser override at resolve time during CI.

Ready for review. 🙏

@kmcginnes kmcginnes self-requested a review February 24, 2026 16:55
kmcginnes
kmcginnes requested changes Feb 24, 2026
View reviewed changes
Copy link
Collaborator

@kmcginnes kmcginnes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right. We should take your PR for the updated override. Good call.

The package.json file looks great. However, the pnpm-lock.yaml seems to be a bit mangled from all the rebasing/merging. It might need another pass or a regen.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kmcginnes kmcginnes kmcginnes requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Susceptible to CVE-2026-25896 (XSS in fast-xml-parser)?

3 participants

@abhu85 @kmcginnes @153153153