fast-xml-parser CVE-2026-41650: XMLBuilder Injection Flaw Forces Emergency Update to v5.7.0

A critical security vulnerability in the `fast-xml-parser` npm package has triggered an urgent version bump to 5.7.0, patching a flaw that allows XML Comment and CDATA injection via unescaped delimiters in the XMLBuilder component. The issue, tracked as CVE-2026-41650 and catalogued under GHSA-gh4j-gqv2-49f6, exposes any application relying on this widely deployed parser to potential content injection attacks when processing untrusted XML input.

The vulnerability stems from the parser's failure to properly sanitize delimiters within XML comments and CDATA sections during serialization. Attackers who can control or influence XML content processed by a vulnerable application could inject malformed comments or CDATA blocks to manipulate output structure, bypass validation logic, or trigger downstream parsing errors. The flaw affects the XMLBuilder module specifically, which is commonly used for converting JavaScript objects into XML format. The library is a standard dependency in numerous Node.js projects handling XML serialization, configuration parsing, and API response generation.

Developers using `fast-xml-parser` versions prior to 5.7.0 should upgrade immediately, particularly if the application processes XML from external sources or user-supplied content. Downstream projects that bundle the library indirectly may also be affected, necessitating a review of transitive dependencies. The security advisory recommends verifying XMLBuilder usage patterns and applying output validation as a temporary mitigation where immediate upgrades are not feasible. Continued use of older versions raises the risk of injection-based attacks targeting any system component that trusts serialized XML output.