fast-xml-parser DOCTYPE Entity Name Regex Injection Vulnerability Allowing Entity Encoding Bypass and XSS

A vulnerability in fast-xml-parser versions 4.1.3 prior to 5.3.5 allows for a bypass of XML entity encoding, leading to cross-site scripting (XSS) vulnerabilities. This issue arises from the parser treating dots in DOCTYPE entity names as regex wildcards, which can be exploited to shadow built-in XML entities with arbitrary values. The vulnerability is present in both the v5 and v6 codebases.

Impact

Exploitation of this vulnerability allows for a complete bypass of XML entity encoding, with direct implications for cross-site scripting (XSS) when the parsed output is rendered in a web page.

Reproduction

To reproduce this vulnerability, create a DOCTYPE declaration with an entity name that includes a dot. When the XML is parsed, the entity will shadow built-in XML entities, bypassing encoding and potentially injecting scripts if the output is rendered in a way that executes the script, such as using innerHTML or in a server-side rendered template.

Remediation

Users can upgrade to fast-xml-parser version 5.3.5, which addresses this vulnerability by properly escaping regex metacharacters in entity names before they are used to create replacement regexes.