fast-xml-parser Patches Critical XML Injection Flaw in XMLBuilder Component

A critical security vulnerability has been identified in fast-xml-parser, a widely deployed JavaScript library for XML parsing and validation. The flaw, tracked as CVE-2026-41650 and catalogued as GHSA-gh4j-gqv2-49f6, affects the XMLBuilder component and enables XML Comment and CDATA Injection via unescaped delimiters. The vulnerability impacts all applications relying on this library for XML processing, raising significant risk for systems handling untrusted XML input.

The security issue stems from improper handling of delimiters within the XMLBuilder module, where specially crafted XML content could inject malicious comments or CDATA sections into output. Successful exploitation could allow attackers to manipulate XML structures, bypass validation logic, or trigger unexpected parsing behavior in downstream systems. The vulnerability has been patched in version 5.7.0, with the fix addressing the root cause by properly escaping delimiters during XML construction.

Developers and security teams should immediately audit their dependencies for instances of fast-xml-parser versions prior to 5.7.0 and prioritize updating to the patched release. Given the library's prevalence in enterprise JavaScript ecosystems, the potential blast radius of this vulnerability extends across web applications, API services, and data pipelines that process XML documents. Organizations are advised to review their XML input validation strategies and monitor for indicators of exploitation attempts, particularly in environments where external parties can submit XML payloads.