Skip to content

[Aikido] Fix security issue in fast-xml-parser via minor version upgrade from 5.2.5 to 5.5.7#1

Open
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-23456023-44bq
Open

[Aikido] Fix security issue in fast-xml-parser via minor version upgrade from 5.2.5 to 5.5.7#1
aikido-autofix[bot] wants to merge 1 commit intomainfrom
fix/aikido-security-update-packages-23456023-44bq

Conversation

@aikido-autofix
Copy link
Copy Markdown

@aikido-autofix aikido-autofix bot commented Apr 15, 2026

Upgrade fast-xml-parser to fix critical XSS via entity shadowing, RangeError DoS, unlimited entity expansion DoS, numeric entity expansion bypass, and stack overflow vulnerabilities.

✅ 6 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue Severity           Description 
CVE-2026-25896
 
🚨 CRITICAL
 [fast-xml-parser] A dot (.) in DOCTYPE entity names is treated as a regex wildcard, allowing attackers to shadow built-in XML entities with arbitrary values and bypass entity encoding. This leads to XSS when parsed output is rendered. 
CVE-2026-25128
 
HIGH
 [fast-xml-parser] A RangeError vulnerability in numeric entity processing allows attackers to crash applications by providing XML with out-of-range entity code points, causing an uncaught exception during parsing of untrusted input. 
CVE-2026-26278
 
HIGH
 [fast-xml-parser] XML entity expansion vulnerability allows attackers to cause denial of service by forcing unlimited entity expansion with minimal input, potentially freezing the application for extended periods. 
CVE-2026-33036
 
HIGH
 [fast-xml-parser] Numeric character references and standard XML entities bypass entity expansion limits, allowing attackers to cause XML entity expansion Denial of Service by forcing excessive memory allocation and CPU usage through crafted XML payloads. 
CVE-2026-27942
 
HIGH
 [fast-xml-parser] XML builder with preserveOrder:true causes stack overflow leading to denial of service when processing certain inputs. The application crashes due to improper recursion handling during XML construction. 
CVE-2026-33349
 
MEDIUM
 [fast-xml-parser] XML entity expansion vulnerability where setting maxEntityCount or maxEntitySize to 0 is bypassed due to JavaScript falsy checks, allowing attackers to cause denial of service through memory exhaustion. The vulnerability affects configurations explicitly set to restrict or disable entities.

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 15, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ext-icon Ready Ready Preview, Comment Apr 15, 2026 11:57pm

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Apr 15, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 api-icons 8bc5d30 Apr 15 2026, 11:55 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants