fast-xml-builder, Attribute Injection via Unquoted Values, (CVE not specified – High)

By /

Listen to this Post

How the mentioned CVE works

The vulnerability exists in the fast-xml-builder library when processing XML/HTML input. By default, the library allows attribute values to contain quotes without enabling the `processEntities` flag. An attacker can craft input where an attribute value includes an unescaped double quote, followed by a space and additional attribute syntax. For example, providing an attribute like `attr=”value” malicious=”true”` inside a quoted string causes the parser to misinterpret the quote as closing the original attribute. Since `processEntities` is disabled, the library does not replace `"` or other entities, leaving the quote intact. The parser then splits the value at the quote boundary, creating a new attribute from the malicious payload. This allows injection of arbitrary attributes, such as `onclick` or data-, leading to XSS or logic bypass. The attack succeeds only when `ignoreAttributes` is false (default) and `processEntities` is false. The library’s default configuration may have `processEntities: false` for performance. An attacker can supply XML like `` but wrapped in a quoted attribute value: <tag attr="value\" extra=\"injected"/>. The parser sees the first quote, then `value` then a quote that is actually part of the value but treated as closing, then ` extra=` as a new attribute. The remaining trailing quote causes unbalanced quotes but the damage is done.

dailycve form

Platform: Node.js
Version: < 4.2.0
Vulnerability: Attribute injection
Severity: High
date: 2026-05-04

Prediction: 2026-05-15

What Undercode Say:

Check installed version of fast-xml-builder
npm list fast-xml-builder
Vulnerable versions (before patch)
npm view fast-xml-builder versions --json | grep -E "4.[bash]."
Simulate attack with Node.js
cat << 'EOF' > exploit-test.js
const { XMLBuilder } = require('fast-xml-builder');
const builder = new XMLBuilder({
ignoreAttributes: false,
processEntities: false
});
const malicious = {
elem: {
'@_attr': 'value" malicious="injected'
}
};
console.log(builder.build(malicious));
EOF
node exploit-test.js
Output: <elem attr="value" malicious="injected"/>

Exploit:

An attacker submits XML/HTML payload where an attribute value contains a double quote followed by a space and a new attribute name-value pair. Example payload:

``

When processEntities=false, the quote is not escaped, resulting in:

``

Thus elevating privileges or injecting event handlers.

Protection from this CVE

  • Upgrade to fast-xml-builder >= 4.2.0 (patch released 2026-05-08).
  • If upgrade not possible, set `processEntities: true` when creating the builder.
  • Validate and sanitize all input attribute values before passing to the library.
  • Use `ignoreAttributes: true` if attributes are not needed.

Impact

  • Arbitrary attribute injection leading to XSS in HTML output.
  • Bypass of security filters relying on attribute whitelists.
  • Privilege escalation in XML-based configuration files.
  • Data corruption when attributes control application logic (e.g., `enabled=”false”` becoming enabled="true").

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top