CVE-2026-25896
Published: 20 February 2026
Summary
CVE-2026-25896 is a critical-severity Incorrect Regular Expression (CWE-185) vulnerability in Naturalintelligence Fast-Xml-Parser. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of vulnerabilities like CVE-2026-25896 by upgrading fast-xml-parser to version 5.3.5 or later to fix the DOCTYPE entity regex wildcard issue.
Mandates validation of untrusted XML input to reject or sanitize malicious DOCTYPE entities containing dots that shadow built-in entities.
Enforces filtering of parsed XML output before rendering to block XSS payloads resulting from overridden entities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of public-facing apps via malicious XML (T1190); parsed output injection directly facilitates arbitrary JavaScript execution via XSS in web contexts (T1059.007).
NVD Description
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a…
more
regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Deeper analysisAI
CVE-2026-25896 affects the fast-xml-parser JavaScript library, versions 4.1.3 through 5.3.4, which is used to validate XML, parse XML into JavaScript objects, or build XML from JavaScript objects without C/C++ dependencies or callbacks. The vulnerability arises because a dot (.) character in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, enabling attackers to shadow built-in XML entities such as <, >, &, ", and ' with arbitrary values. This flaw, classified under CWE-185, bypasses standard entity encoding and has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N).
An attacker can exploit this vulnerability by supplying malicious XML input containing a crafted DOCTYPE entity with a dot in its name to any application using the affected fast-xml-parser versions for untrusted XML processing. No privileges or user interaction are required, and exploitation occurs over the network with low complexity. Successful exploitation allows the attacker to inject arbitrary content by overriding built-in entities, leading to cross-site scripting (XSS) when the parsed XML output is rendered in a web context, with high integrity impact due to the scope change.
The vulnerability is fixed in fast-xml-parser version 5.3.5, as detailed in the project's GitHub security advisory (GHSA-m7jm-9gc2-mpf2) and release notes. Mitigation involves upgrading to 5.3.5 or later, with relevant patches in commits 943ef0eb1b2d3284e72dd74f44a042ee9f07026e and ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69. Security practitioners should review dependencies in Node.js or browser-based applications handling XML for vulnerable versions.
Details
- CWE(s)