fast-xml-parser XML Injection Flaw Penetrates Firebase Admin Through Transitive Dependency Chain

A medium-severity XML injection vulnerability in `fast-xml-parser` versions below 5.7.0 has been identified as reachable through a transitive dependency chain affecting `firebase-admin` deployments. The flaw, cataloged as GHSA-gh4j-gqv2-49f6 with a CVSS score of 6.1, allows attackers to inject malformed XML structures via unescaped delimiters in the `XMLBuilder` component. While active exploitation status remains unknown, the attack path requires only that adversary-controlled input reaches the XML builder—a condition that can arise in applications processing external XML content.

The vulnerability traces through four layers of dependencies: `firebase-admin` depends on `@google-cloud/firestore`, which pulls in `google-gax`, which ultimately includes the vulnerable `fast-xml-parser` version. This transitive exposure means developers who never directly implemented `fast-xml-parser` may still be running affected code without realizing it. The affected version range in `functions/package-lock.json` is anything below `5.7.0`. A direct fix exists in `[email protected]` and later, but resolving the issue transitively requires upgrading `firebase-admin` to version 10.x—a major version jump that may introduce breaking changes and require code adjustments beyond simply updating a dependency declaration.

The finding, identified via npm audit during a pre-PR scan on April 22, 2026, maps to ATT&CK technique T1190 (Exploit Public-Facing Application). Organizations using `firebase-admin` in serverless functions or backend services that construct XML should audit their dependency trees for vulnerable `fast-xml-parser` versions and weigh the operational cost of the major `firebase-admin` upgrade against the risk of leaving the injection vector unpatched. The KEV catalog does not currently list this vulnerability, suggesting limited observed exploitation—but the transitive nature of the exposure raises the practical difficulty of ensuring a complete fix across complex Node.js ecosystems.